Mozilla

Mozilla

Mozilla Foundation Security Advisory 2012-55

feed: URLs with an innerURI inherit security context of page

Announced
July 17, 2012
Reporter
Mario Gomes, Soroush Dalili
Impact
Moderate
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 14
  • Firefox ESR 10.0.6

Description

Security researchers Mario Gomes and Soroush Dalili reported that since Mozilla allows the pseudo-protocol feed: to prefix any valid URL, it is possible to construct feed:javascript: URLs that will execute scripts in some contexts. On some sites it may be possible to use this to evade output filtering that would otherwise strip javascript: URLs and thus contribute to cross-site scripting (XSS) problems on these sites.

References