Mozilla Foundation Security Advisory 2008-64
Title: XMLHttpRequest 302 response disclosure Impact: Moderate Announced: December 16, 2008 Reporter: Marius Schilder Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 3.0.5 Firefox 126.96.36.199 Thunderbird 188.8.131.52 SeaMonkey 1.1.14 Description
Marius Schilder of Google Security reported that when a XMLHttpRequest is made to a same-origin resource which 302 redirects to a resource in a different domain, the response from the cross-domain resource is readable by the site issuing the XHR. Cookies marked HttpOnly were not readable, but other potentially sensitive data could be revealed in the XHR response including URL parameters and content in the response body.
* https://bugzilla.mozilla.org/show_bug.cgi?id=458248 * CVE-2008-5506