Project

General

Profile

Bug #190

RefreshAddress not checked for same origin

Added by Tobias Wich almost 8 years ago. Updated over 7 years ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Target version:
1.0.2
Start date:
03/21/2013
Due date:
% Done:

0%

Estimated time:
Reviewer:
Tobias Wich
Build Version:

Description

The certificate obtained from the TLS connection used to retrieve the TCToken must be used to validate the RefreshAddress. This is currently not the case.

The relevant section in the eCard API (Part 7) is 3.4.5

Related issues

Related to Bug #209: Final result of eID dialog is not send as HTTP Redirect to eID-Client, but eID-Client redirects/offers Browser that result pageClosed03/27/2013

Actions
Has duplicate Bug #208: It seems that same origin policy is not checked (refer to TR-03112-7 v1.1.2 chapter 3.x)Rejected03/27/2013

Actions

History

#1

Updated by Tobias Wich almost 8 years ago

  • Target version changed from 1.0.1 to 1.0.2

Issue needs further investigation because the "Same origin" check is dependent on information from EAC, which is only available when the nPA is used.

#2

Updated by Andreas Kuckartz almost 8 years ago

Sounds like a security issue.

#3

Updated by Tobias Wich over 7 years ago

  • Status changed from New to Review
  • Reviewer set to Tobias Wich
#4

Updated by Tobias Wich over 7 years ago

  • Status changed from Review to Closed

Also available in: Atom PDF