[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Cross-Site Scripting vulnerability in Mozilla, Firefox and Chrome
> needed to use data: URI, which will be containing requisite JS code.
> [...] After I informed Mozilla, they declined to fix this vulnerability.
"Refresh" or "Location" redirection in Firefox will not bestow a
security context derived from the referring site upon the executed
Granted, it and also somewhat counterintuitive, as other types of
data: navigation - e.g., link navigation, IFRAMEd content, location.*
updates - do inherit that context.
This means that there is nothing to be gained by redirecting to data:
through www.example.com; he could as well just redirect to his own