Mozilla Foundation Security Advisory 2016-91
Security vulnerabilities fixed in Firefox 50.0.1
- November 28, 2016
- Fixed in
- Firefox 50.0.1
#CVE-2016-9078: data: URL can inherit wrong origin after an HTTP redirect
- Alexander Inführ
Redirection from an HTTP connection to a
data: URL assigns the referring site's origin to the
data: URL in some circumstances. This can result in same-origin violations against a domain if it loads resources from malicious sites. Cross-origin setting of cookies has been demonstrated without the ability to read them.
Note: This issue only affects Firefox 49 and 50.