IFRAME sandbox same-origin access through redirect
- July 22, 2014
- Boris Zbarsky
- Firefox, Thunderbird
- Fixed in
- Firefox 31
- Thunderbird 31
Mozilla developer Boris Zbarsky discovered an issue where
network-level redirects cause an
<iframe> sandbox to forget
its unique origin and behave as if the
were applied. This allows the sandboxed content to access other content from
the same origin without explicit approval.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.