You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2009-30

Mozilla Foundation Security Advisory 2009-30

Title: Incorrect principal set for file: resources loaded via location bar
Impact: Moderate
Announced: June 11, 2009
Reporter: Adam Barth, Collin Jackson
Products: Firefox 3

Fixed in: Firefox 3.0.11


Security researchers Adam Barth and Collin Jackson reported that when a file: resource is loaded via the location bar it inherits the principal of the previously loaded document. This vulnerability can potentially give the newly loaded document additional privileges to access the contents of other local files that it wouldn't otherwise have permission to read.

A potential victim would first have to have downloaded the attackers document to their local machine. Then the victim would have to open another document in a directory of interest to the attacker before opening the attacker's file in the same window.

Prior to version 3.0, Firefox (like browsers from other vendors) treated all local files as having the same origin without restriction. This vulnerability is a partial bypass of the restrictions implemented in Firefox 3.0