Created attachment 8787683 [details] This is video file about bug 1.Open Mozilla Firefox 2.Type any firstname.lastname@example.org 3.You will be redirected to otherwebsite.com with website.com post data and website after @ will open and can be used to trick user to redirect to pishing website or also can be used to produce CSRF like attack or can be used to post attacker custom form post data which is very high risk. Video is attached 4.It should open search engine result like when we add text other than website url and search engine display results. Or It should open mailto: instead of http:
As the video explicitly shows, we show the user a warning dialog detailing very carefully where they're going (otherwebsite.com, not website.com) and additionally, the data will not be used as POST data but as HTTP auth data, so no CSRF is possible. The website is also correctly highlighted in the location bar at all times. This isn't a security vulnerability.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.