Information stealing via loadBindingDocument
- December 16, 2008
- Boris Zbarsky
- Firefox, SeaMonkey, Thunderbird
- Fixed in
- Firefox 220.127.116.11
- SeaMonkey 1.1.14
- Thunderbird 18.104.22.168
Mozilla developer Boris Zbarsky reported that XBL bindings could be used to read data from other domains, a violation of the same-origin policy. The severity of this issue was determined to be moderate due to several mitigating factors:
- The target document requires a
<bindings>element in the XBL namespace in order to be read.
- The reader of the data needs to know the
idattribute of the binding being read in advance.
- It is unlikely that web services will expose private data in the manner described above.
Firefox 3 is not affected by this issue.