BrowserID assertion verification should not trust the Host field in the request
Bug #893390 reported by
François Marier
This bug affects 1 person
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Libravatar (obsolete) |
Fix Released
|
Medium
|
François Marier |
Bug Description
We should derive the host from the site's URL as opposed to trusting what the browser sends via the Host header in the request.
http://
Changed in libravatar: | |
status: | Confirmed → Fix Committed |
Changed in libravatar: | |
status: | Fix Committed → Fix Released |
To post a comment you must log in.