Mozilla Foundation Security Advisory 2016-54

Partial same-origin-policy through setting location.host through data URI

Announced
June 7, 2016
Reporter
Armin Razmdjou
Impact
Low
Products
Firefox
Fixed in
  • Firefox 47

Description

Security researcher Armin Razmdjou reported that the location.host property can be set to an arbitrary string after creating an invalid data: URI. This allows for a bypass of some same-origin policy protections. This issue is mitigated by the data: URI in use and any same-origin checks for http: or https: are still enforced correctly. As a result cookie stealing and other common same-origin bypass attacks are not possible.

References