Mozilla Foundation Security Advisory 2009-30

Incorrect principal set for file: resources loaded via location bar

June 11, 2009
Adam Barth, Collin Jackson
Fixed in
  • Firefox 3.0.11


Security researchers Adam Barth and Collin Jackson reported that when a file: resource is loaded via the location bar it inherits the principal of the previously loaded document. This vulnerability can potentially give the newly loaded document additional privileges to access the contents of other local files that it wouldn't otherwise have permission to read.

A potential victim would first have to have downloaded the attackers document to their local machine. Then the victim would have to open another document in a directory of interest to the attacker before opening the attacker's file in the same window.

Prior to version 3.0, Firefox (like browsers from other vendors) treated all local files as having the same origin without restriction. This vulnerability is a partial bypass of the restrictions implemented in Firefox 3.0