Last Comment Bug 756587 - ensure manifest urls belong to same origin
: ensure manifest urls belong to same origin
Status: RESOLVED FIXED
[needs-test]
:
Product: Firefox
Classification: Client Software
Component: SocialAPI (show other bugs)
: unspecified
: x86 Mac OS X
: -- critical (vote)
: ---
Assigned To: Shane Caraveo (:mixedpuppy)
:
: Shane Caraveo (:mixedpuppy)
Mentors:
Depends on:
Blocks: 733414
  Show dependency treegraph
 
Reported: 2012-05-18 13:24 PDT by Shane Caraveo (:mixedpuppy)
Modified: 2012-05-23 16:38 PDT (History)
1 user (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments

Description Shane Caraveo (:mixedpuppy) 2012-05-18 13:24:22 PDT
If we load a manifest that is not a resource uri, ensure that the urls are same-origin.
Comment 1 Mark Hammond [:markh] 2012-05-20 18:27:51 PDT
Would another option be that we don't support absolute URLs in the manifest, apart from, say, URLPrefix?
Comment 2 Shane Caraveo (:mixedpuppy) 2012-05-20 23:17:04 PDT
For the manifest urls, we are absolutely talking same-origin, protocol+host+port.  URLPrefix should only be used in the case we are loading from a resource URI, otherwise it should be ignored.
Comment 3 Shane Caraveo (:mixedpuppy) 2012-05-21 14:18:51 PDT
pushed a validation/cleansing function in change https://github.com/mozilla/socialapi-dev/commit/3a731bfad4e4a861b17be5e3e0048f6e480dc143
Comment 4 Shane Caraveo (:mixedpuppy) 2012-05-23 16:38:43 PDT
pushed tests on this today https://github.com/mozilla/socialapi-dev/commit/f9d2f6388b219df49e9809fb3a85b3d9e8f0e3a0

Note You need to log in before you can comment on or make changes to this bug.