On 09.07.2014 01:41, Ehsan Akhgari wrote:
On 2014-07-08, 6:34 PM, L. David Baron wrote:
On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote:
That seems pretty bad. I think we should at least stop supporting
it for Web content. David, what do you think?
I'm ok with restricting it to UA
On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote:
That seems pretty bad. I think we should at least stop supporting
it for Web content. David, what do you think?
I'm ok with restricting it to UA and user style sheets, although if
we're going to do that because of security risks I'd like
On 2014-07-08, 6:34 PM, L. David Baron wrote:
On Monday 2014-07-07 15:18 -0400, Ehsan Akhgari wrote:
That seems pretty bad. I think we should at least stop supporting
it for Web content. David, what do you think?
I'm ok with restricting it to UA and user style sheets, although if
we're
Summary:
Attackers can extract secret URL components (e.g. session IDs, oauth
tokens) using @-moz-document. Using the regexp support and assuming a
CSS injection (no XSS needed!), the attacker can probe the current URL
with some regular expressions and send the URL parameters to a third party.
A
That seems pretty bad. I think we should at least stop supporting it
for Web content. David, what do you think?
Cheers,
Ehsan
On 2014-07-07, 4:56 AM, Frederik Braun wrote:
Summary:
Attackers can extract secret URL components (e.g. session IDs, oauth
tokens) using @-moz-document. Using the
5 matches
Mail list logo
