Bug 39196

Summary: Allowed script origin not adhered to when there are redirections
Product: Batik - Now in Jira Reporter: Cameron McCormack <cam>
Component: ScriptingAssignee: Batik Developer's Mailing list <batik-dev>
Status: NEW ---    
Severity: normal    
Priority: P2    
Version: 1.8   
Target Milestone: ---   
Hardware: All   
OS: All   
URL: http://mcc.id.au/temp/2006/script-origin.svg

Description Cameron McCormack 2006-04-04 05:37:43 UTC
If the allowed script origin is set to "document" (same host), and when fetching
the script a redirect to a different host occurs, the script is still loaded. 
The URL above shows an example file with two 100x100 rects.  Both should be
green, indicating that the two scripts didn't load.  However, the referenced URL
http://mcc.id.au/temp/2006/redirect.js redirects to
http://arc.mcc.id.au/temp/2006/nasty-redirected.js, and is then run, which makes
the second rect red.

There should be some way to enforce this using Java's security stuff, when the
ParsedURLData opens the URLConnection, but I am not very familiar with
permissions and so on.  If this isn't possible, then I guess redirections could
be turned off for the URLConnection, which would then have to be handled manually.

This is probably a problem for the external resource origin setting, too.