Your system may not meet the requirements for Firefox, but you can try one of these versions:

Your system doesn't meet the requirements to run Firefox.

Your system doesn't meet the requirements to run Firefox.

Please follow these instructions to install Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2008-64

XMLHttpRequest 302 response disclosure

December 16, 2008
Marius Schilder
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox
  • Firefox 3.0.5
  • SeaMonkey 1.1.14
  • Thunderbird


Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.


Disable JavaScript until a version containing these fixes can be installed.