Bug 39196 - Allowed script origin not adhered to when there are redirections
Summary: Allowed script origin not adhered to when there are redirections
Status: NEW
Alias: None
Product: Batik - Now in Jira
Classification: Unclassified
Component: Scripting (show other bugs)
Version: 1.8
Hardware: All All
: P2 normal
Target Milestone: ---
Assignee: Batik Developer's Mailing list
URL: http://mcc.id.au/temp/2006/script-ori...
Keywords:
Depends on:
Blocks:
 
Reported: 2006-04-04 05:37 UTC by Cameron McCormack
Modified: 2006-04-03 22:37 UTC (History)
0 users


Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cameron McCormack 2006-04-04 05:37:43 UTC 
If the allowed script origin is set to "document" (same host), and when fetching
the script a redirect to a different host occurs, the script is still loaded. 
The URL above shows an example file with two 100x100 rects.  Both should be
green, indicating that the two scripts didn't load.  However, the referenced URL
http://mcc.id.au/temp/2006/redirect.js redirects to
http://arc.mcc.id.au/temp/2006/nasty-redirected.js, and is then run, which makes
the second rect red.

There should be some way to enforce this using Java's security stuff, when the
ParsedURLData opens the URLConnection, but I am not very familiar with
permissions and so on.  If this isn't possible, then I guess redirections could
be turned off for the URLConnection, which would then have to be handled manually.

This is probably a problem for the external resource origin setting, too.