Mixed content WebSocket policy bypass through workers

ID MFSA2015-132
Type mozilla
Reporter Mozilla Foundation
Modified 2015-11-03T00:00:00


Mozilla developer Ehsan Akhgari reported a mechanism through which a web worker could be used to bypass secure requirements for WebSockets when workers are used to create WebSockets. This allows for the bypassing of mixed content WebSocket policy.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.