Page 1 of 1
[deleted]
Posted: Fri Apr 11, 2014 3:42 pm
by LouiseRBaldwin
[deleted]
Re: InjectionChecker same-origin policy flaw
Posted: Fri Apr 11, 2014 7:10 pm
by Giorgio Maone
This has been deliberated design choice, based on:
- The availability of effective countermeasures against MITM attacks like the one you described (HSTS, ForceHTTPS, NoScript's built-in HTTPS options...)
- Known false positive issues which would be caused by the stricter policy you're descibing
However I guess I could try to enforce injection checks when landing on HTTPS from a different protocol/port, maybe with an
about:config preference switch off, and see how it goes...
[Edit]
Sorry, I wrote the above defense assuming you actually checked your statement, but it looks we already treat different schemes with same host name as different origins for cross-site request checks purposes, see my follow-up post below for a POC...
In facts, the false positives I mentioned are (safely) managed as ad-hoc exceptions.
[Edit 2]
The POC below failed on me because of some extra paranoid settings of mine, but it generally works. Sorry for the late night mistake.
Please check my 2nd post below, too.
Re: InjectionChecker same-origin policy flaw
Posted: Sat Apr 12, 2014 9:05 pm
by Giorgio Maone
Actually, it seems I've already "fixed" this long time ago, and forgot about it 
Please try this.
Am I missing something?
[Edit]
Yes, I was missing my extra-paranoid settings.
In the general case (without HSTS etc.), my own "PoC" above succeeds. Trying the work-around hinted above, stay tuned
[deleted]
Posted: Sat Apr 12, 2014 9:56 pm
by LouiseRBaldwin
[deleted]
Re: InjectionChecker same-origin policy flaw
Posted: Sat Apr 12, 2014 11:09 pm
by Giorgio Maone
Please check
latest development build 2.6.8.20rc1, thank you.