You are viewing a plain text version of this content. The canonical link for it is here.
Posted to batik-dev@xmlgraphics.apache.org by bu...@apache.org on 2006/04/04 06:37:44 UTC
DO NOT REPLY [Bug 39196] New: - Allowed script origin not adhered to when there are redirections
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39196>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39196
Summary: Allowed script origin not adhered to when there are
redirections
Product: Batik
Version: 2.0
Platform: All
URL: http://mcc.id.au/temp/2006/script-origin.svg
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Scripting
AssignedTo: batik-dev@xmlgraphics.apache.org
ReportedBy: cam@apache.org
If the allowed script origin is set to "document" (same host), and when fetching
the script a redirect to a different host occurs, the script is still loaded.
The URL above shows an example file with two 100x100 rects. Both should be
green, indicating that the two scripts didn't load. However, the referenced URL
http://mcc.id.au/temp/2006/redirect.js redirects to
http://arc.mcc.id.au/temp/2006/nasty-redirected.js, and is then run, which makes
the second rect red.
There should be some way to enforce this using Java's security stuff, when the
ParsedURLData opens the URLConnection, but I am not very familiar with
permissions and so on. If this isn't possible, then I guess redirections could
be turned off for the URLConnection, which would then have to be handled manually.
This is probably a problem for the external resource origin setting, too.
--
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
---------------------------------------------------------------------
To unsubscribe, e-mail: batik-dev-unsubscribe@xmlgraphics.apache.org
For additional commands, e-mail: batik-dev-help@xmlgraphics.apache.org