Comment 16 for bug 1552409
Revision history for this message
| Jason Stephenson (jstephenson) wrote | #16 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
0f7b58d
(Get the code!)
Having looked over the code, I would like to suggest that there be some way to compare the remote host in the redirects to a list of approved hosts. If there is an attempt to redirect to a host not on the approved list, then the redirect should be blocked and the user possibly warned.
My reason for making this suggestion is that a clever person could use this to redirect someone to a malicious site in an attempt to fish credentials or other personal information from them.
We can presumably trust the e-resource vendors using this feature to not do that to our users.