Bugtraq mailing list archives
Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
From: Michal Zalewski <lcamtuf () coredump cx>
Date: Wed, 15 Jul 2009 13:00:40 -0700
To bypass protection from JavaScript code execution via refresh header it's needed to use data: URI, which will be containing requisite JS code. [...] After I informed Mozilla, they declined to fix this vulnerability.
"Refresh" or "Location" redirection in Firefox will not bestow a security context derived from the referring site upon the executed code. This is different from the behavior on javascript: URLs. Granted, it and also somewhat counterintuitive, as other types of data: navigation - e.g., link navigation, IFRAMEd content, location.* updates - do inherit that context. This means that there is nothing to be gained by redirecting to data: through www.example.com; he could as well just redirect to his own site and run any potentially malicious JavaScript there. /mz
Current thread:
- Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 15)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome Michal Zalewski (Jul 15)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 27)
- <Possible follow-ups>
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome advisories (Jul 16)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome MustLive (Jul 28)
- Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome Michal Zalewski (Jul 15)