Cross-site reading attack through data and view-source URIs
- December 15, 2015
- Tsubasa Iinuma
- Firefox, Firefox ESR, Firefox OS, Thunderbird
- Fixed in
- Firefox 43
- Firefox ESR 38.5
- Firefox OS 2.5
- Thunderbird 38.5
Security researcher Tsubasa Iinuma reported a mechanism to violate
same-origin policy to content using
to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.