Mozilla Foundation Security Advisory 2014-66

IFRAME sandbox same-origin access through redirect

Announced
July 22, 2014
Reporter
Boris Zbarsky
Impact
Moderate
Products
Firefox, Thunderbird
Fixed in
  • Firefox 31
  • Thunderbird 31

Description

Mozilla developer Boris Zbarsky discovered an issue where network-level redirects cause an <iframe> sandbox to forget its unique origin and behave as if the allow-same-origin keyword were applied. This allows the sandboxed content to access other content from the same origin without explicit approval.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References