Mozilla Foundation Security Advisory 2012-97

XMLHttpRequest inherits incorrect principal within sandbox

Announced
November 20, 2012
Reporter
Gabor Krizsanits
Impact
High
Products
Firefox, SeaMonkey, Thunderbird
Fixed in
  • Firefox 17
  • SeaMonkey 2.14
  • Thunderbird 17

Description

Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox.

References