[deleted]

LouiseRBaldwin · Post by **LouiseRBaldwin** » Fri Apr 11, 2014 3:42 pm

[deleted]

Post by **Giorgio Maone** » Fri Apr 11, 2014 7:10 pm

This has been deliberated design choice, based on:

The availability of effective countermeasures against MITM attacks like the one you described (HSTS, ForceHTTPS, NoScript's built-in HTTPS options...)
Known false positive issues which would be caused by the stricter policy you're descibing

However I guess I could try to enforce injection checks when landing on HTTPS from a different protocol/port, maybe with an about:config preference switch off, and see how it goes...
[Edit]
Sorry, I wrote the above defense assuming you actually checked your statement, but it looks we already treat different schemes with same host name as different origins for cross-site request checks purposes, see my follow-up post below for a POC...
In facts, the false positives I mentioned are (safely) managed as ad-hoc exceptions.
[Edit 2]
The POC below failed on me because of some extra paranoid settings of mine, but it generally works. Sorry for the late night mistake.
Please check my 2nd post below, too.

Post by **Giorgio Maone** » Sat Apr 12, 2014 9:05 pm

Actually, it seems I've already "fixed" this long time ago, and forgot about it
Please try this.
Am I missing something?
[Edit]
Yes, I was missing my extra-paranoid settings.
In the general case (without HSTS etc.), my own "PoC" above succeeds. Trying the work-around hinted above, stay tuned

LouiseRBaldwin · Post by **LouiseRBaldwin** » Sat Apr 12, 2014 9:56 pm

[deleted]

Post by **Giorgio Maone** » Sat Apr 12, 2014 11:09 pm

Please check latest development build 2.6.8.20rc1, thank you.

InformAction Forums

[deleted]

[deleted]

Re: InjectionChecker same-origin policy flaw

Re: InjectionChecker same-origin policy flaw

[deleted]

Re: InjectionChecker same-origin policy flaw