Back to list
Firefox cross-domain text theft (CESA-2008-011)
Dec 18 2008 09:00AM
Chris Evans (scarybeasts gmail com)
Firefoxes 18.104.22.168 and 3.0.5 fix a cross-domain theft of textual data.
messages for scripts executed via <script src="remote_domain.org">.
of text from the remote domain as part of the error message, e.g.
"blah is not defined". This permits certain textual constructs to be
The broader issue was fixed in Firefox 3.0. However this fix was not
complete. The fix could be dodged by using another instance of the
"302 redirect trick". It was possible to cause the browser to believe
a remote script was in fact local, and therefore continue to reveal
Blog post: http://scarybeastsecurity.blogspot.com/2008/12/firefox-cross-domain-text
[ reply ]
Copyright 2010, SecurityFocus