You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-97

Mozilla Foundation Security Advisory 2012-97

Title: XMLHttpRequest inherits incorrect principal within sandbox
Impact: High
Announced: November 20, 2012
Reporter: Gabor Krizsanits
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 17.0
  Thunderbird 17.0
  SeaMonkey 2.14


Mozilla developer Gabor Krizsanits discovered that XMLHttpRequest objects created within sandboxes have the system principal instead of the sandbox principal. This can lead to cross-site request forgery (CSRF) or information theft via an add-on running untrusted code in a sandbox.