The default bug view has changed. See this FAQ.

ensure manifest urls belong to same origin

RESOLVED FIXED

Status

()

Firefox
SocialAPI
--
critical
RESOLVED FIXED
5 years ago
5 years ago

People

(Reporter: mixedpuppy, Assigned: mixedpuppy)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [needs-test])

(Assignee)

Description

5 years ago
If we load a manifest that is not a resource uri, ensure that the urls are same-origin.
Would another option be that we don't support absolute URLs in the manifest, apart from, say, URLPrefix?
(Assignee)

Comment 2

5 years ago
For the manifest urls, we are absolutely talking same-origin, protocol+host+port.  URLPrefix should only be used in the case we are loading from a resource URI, otherwise it should be ignored.
(Assignee)

Updated

5 years ago
Assignee: nobody → mixedpuppy
(Assignee)

Comment 3

5 years ago
pushed a validation/cleansing function in change https://github.com/mozilla/socialapi-dev/commit/3a731bfad4e4a861b17be5e3e0048f6e480dc143
Whiteboard: [needs-test]
Blocks: 733414
(Assignee)

Comment 4

5 years ago
pushed tests on this today https://github.com/mozilla/socialapi-dev/commit/f9d2f6388b219df49e9809fb3a85b3d9e8f0e3a0
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.