Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome

[Michal Zalewski <lcamtuf () coredump cx>]

> To bypass protection from JavaScript code execution via refresh header it's
> needed to use data: URI, which will be containing requisite JS code.
> [...] After I informed Mozilla, they declined to fix this vulnerability.

"Refresh" or "Location" redirection in Firefox will not bestow a
security context derived from the referring site upon the executed
code. This is different from the behavior on javascript: URLs.
Granted, it and also somewhat counterintuitive, as other types of
data: navigation - e.g., link navigation, IFRAMEd content, location.*
updates - do inherit that context.

This means that there is nothing to be gained by redirecting to data:
through www.example.com; he could as well just redirect to his own
site and run any potentially malicious JavaScript there.

/mz