Same-origin bypass with web workers and XMLHttpRequest
- August 6, 2013
- Federico Lanusse
- Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
- Fixed in
- Firefox 23
- Firefox ESR 17.0.8
- SeaMonkey 2.20
- Thunderbird 17.0.8
- Thunderbird ESR 17.0.8
Mozilla community member Federico Lanusse reported a mechanism where a web worker can violate same-origin policy and bypass cross-origin checks through XMLHttpRequest. This could allow for cross-site scripting (XSS) attacks by web workers.
In general these flaws cannot be exploited through email in the Thunderbird product because scripting is disabled, but are potentially a risk in browser or browser-like contexts.