Mozilla Foundation Security Advisory 2015-136

Same-origin policy violation using performance.getEntries and history navigation

Announced
December 15, 2015
Reporter
cgvwzq
Impact
High
Products
Firefox, Firefox ESR
Fixed in
  • Firefox 43
  • Firefox ESR 38.7

Description

Security researcher cgvwzq reported that it is possible to read cross-origin URLs following a redirect if performance.getEntries() is used along with an iframe to host a page. Navigating back in history through script, content is pulled from the browser cache for the redirected location instead of going to the original location. This is a same-origin policy violation and could allow for data theft.

This issue affects other browsers as well and is not limited to Mozilla products.

References