Minor: A trailing "/" prevents identification of trusted apps

Question

Minor: A trailing "/" prevents identification of trusted apps

Opened this issue 5 years ago · 3 comments

If the domain declared for a trusted app ends with a "/" character, the app running is returned "403: Unauthorized Origin" when performing operations it should be allowed to (e.g. resource creation).

Users typically won't declare a domain ending with a "/", but wen copy/pasting for instance, this may happen (that's how I discovered this). I'm not completely sure this is an issue, but it may be worth at least documenting, or removing the trailing "/" automatically.

Answer 1 · 2019-10-15T12:00:58.000Z

A good point, and it shouldn't be difficult to normalize URLs.

Answer 2 · 2019-12-17T14:46:50.000Z

There is the question on how NSS should handle this if it does have a trailing slash in the url or even if the url contains a full path like example.com/path/to/item. I'd say it would make sense for a 403 error to be returned. As example.com/path/to/item is not a valid origin, it should be skipped for evaluation. Therefore, the origin example.com is still not registered as a trusted app and should be rejected.

Answer 3 · 2019-12-17T14:53:59.000Z

Thank you for the input @jaxoncreed - I'll solve this by implementing some proper checks in the trusted app view ^_^