DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUGĀ· RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://issues.apache.org/bugzilla/show_bug.cgi?id=39196>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED ANDĀ· INSERTED IN THE BUG DATABASE.
http://issues.apache.org/bugzilla/show_bug.cgi?id=39196 Summary: Allowed script origin not adhered to when there are redirections Product: Batik Version: 2.0 Platform: All URL: http://mcc.id.au/temp/2006/script-origin.svg OS/Version: All Status: NEW Severity: normal Priority: P2 Component: Scripting AssignedTo: [email protected] ReportedBy: [EMAIL PROTECTED] If the allowed script origin is set to "document" (same host), and when fetching the script a redirect to a different host occurs, the script is still loaded. The URL above shows an example file with two 100x100 rects. Both should be green, indicating that the two scripts didn't load. However, the referenced URL http://mcc.id.au/temp/2006/redirect.js redirects to http://arc.mcc.id.au/temp/2006/nasty-redirected.js, and is then run, which makes the second rect red. There should be some way to enforce this using Java's security stuff, when the ParsedURLData opens the URLConnection, but I am not very familiar with permissions and so on. If this isn't possible, then I guess redirections could be turned off for the URLConnection, which would then have to be handled manually. This is probably a problem for the external resource origin setting, too. -- Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
