Cross-site reading attack through data and view-source URIs

ID MFSA2015-149
Type mozilla
Reporter Mozilla Foundation
Modified 2015-12-15T00:00:00


Security researcher Tsubasa Iinuma reported a mechanism to violate same-origin policy to content using data: and view-source: URIs to confuse protections and bypass restrictions. This resulted in the ability to read data from cross-site URLs and local files.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.