Mozilla Foundation Security Advisory 2010-13

Content policy bypass with image preloading

Announced
March 23, 2010
Reporter
Josh Soref, Nokia
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 3.6.2

Description

Mozilla developer Josh Soref of Nokia reported that documents failed to call certain security checks when attempting to preload images. Although the image content is not available to the page, it is possible to specify protocols that are normally not allowed in a web page such as file:. This includes internal schemes implemented by add-ons that might perform privileged actions resulting in something like a Cross-Site Request Forgery (CSRF) attack against the add-on. Potential severity would depend on the add-ons installed.

References