You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2011-10

Mozilla Foundation Security Advisory 2011-10

Title: CSRF risk with plugins and 307 redirects
Impact: High
Announced: March 1, 2011
Reporter: Kuza55, Tom Gallagher
Products: Firefox, SeaMonkey

Fixed in: Firefox 3.6.14
  Firefox 3.5.17
  SeaMonkey 2.0.12


Independent security researcher Kuza55 and Microsoft security researcher Tom Gallagher reported that when plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any custom headers that were added as part of the initial request would be forwarded intact across origins. This poses a CSRF risk for web applications that rely on custom headers only being present in requests from their own origin.