The reason is that this opens you up to being injected where you don't expect, which can lead to security problems. In your above code, it would run onhttp://google.phisher.org for example. Even if you changed your code to explicitly test for known registry-controlled domains (.com, .co.uk, .jp, etc.), you'd still have a problem in that most companies (including Google) don't actually own companyname.* for every RCD that's out there. Further, in the cases where the company doesn't own that domain, the domain is often being used for phishing/malware, etc. So the only way to do this is to know ahead of time the explicit list of RCDs that are controlled by the company, which can be a pain to figure out unfortunately.
it is the reason you can not do *://*.google.*/ in match pattern
it is the reason you can not do *://*.google.*/ in match pattern
No comments:
Post a Comment