Mozilla Foundation Security Advisory 2010-24

XMLDocument::load() doesn't check nsIContentPolicy

Announced
March 30, 2010
Reporter
Wladimir Palant
Impact
Low
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 3.5.9
  • Firefox 3.6.2
  • SeaMonkey 2.0.4
  • Thunderbird 3.0.4

Description

Mozilla community member Wladimir Palant reported that XML documents were failing to call certain security checks when loading new content. This could result in certain resources being loaded that would otherwise violate security policies set by the browser or installed add-ons.

This issue has not been fixed in Firefox 3.0

References