You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2008-64

Mozilla Foundation Security Advisory 2008-64

Title: XMLHttpRequest 302 response disclosure
Impact: Moderate
Announced: December 16, 2008
Reporter: Marius Schilder
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 3.0.5
  SeaMonkey 1.1.14


Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.

Thunderbird shares the browser engine with Firefox and could be vulnerable if JavaScript were to be enabled in mail. This is not the default setting and we strongly discourage users from running JavaScript in mail.


Disable JavaScript until a version containing these fixes can be installed.