make -moz-document useless for scriptless attacks

RESOLVED DUPLICATE of bug 1035091

Status

()

defect
RESOLVED DUPLICATE of bug 1035091
5 years ago
4 years ago

People

(Reporter: freddyb, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
Scriptless attacks (i.e. CSS injections) can be used to leak secret data in the URL (session id, oauth token) to a third party.

If we would remove -moz-document completely, this would not be possibly.
Alternatively, we could also stop supporting -moz-document for web content. Or we could just remove the regex feature.


Explanation of scriptless attacks: http://www.nds.rub.de/research/publications/scriptless-attacks/
Status: NEW → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1035091
You need to log in before you can comment on or make changes to this bug.