Brendan, your patch in comment 5 fixes the vulnerability from comment 0, but not the vulnerability from comment 2 (more details for both in comment 4). Are you intentionally keeping the second vulnerability open (for a follow-up)? An easy way to fix the issue from comment 2 is to also block redirects for non-range requests, but that is more likely going to cause regressions. A less risky (i.e. not unnecessarily restrictive) way to resolve both issues at once is to check `xhr.responseURL` before processing the response. I'll leave the choice to you.
Bug 1683940 Comment 6 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Brendan, your patch in comment 5 fixes the vulnerability from comment 0, but not the vulnerability from comment 2 (more details for both in comment 4). Are you intentionally keeping the second vulnerability open (for a follow-up)? An easy way to fix the issue from comment 2 is to also block redirects for non-range requests, but that is more likely going to cause regressions. A less risky (i.e. not unnecessarily restrictive) way to resolve both issues at once is to check `xhr.responseURL` before processing the response. I'll leave the choice to you. EDIT: Brendan pointed out that the code path for the second issue is unreachable dead code. It's fine to proceed with just the fix for the bug from the initial bug report.