Mixed content WebSocket policy bypass through workers
- November 3, 2015
- Ehsan Akhgari
- Firefox, Firefox ESR, Thunderbird
- Fixed in
- Firefox 42
- Firefox ESR 38.4
- Thunderbird 38.4
Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.