This is fx2-only. (On trunk, the same-origin check in question compares an old URI to a new URI.) The same-origin check in nsXMLHttpRequest::OnChannelRedirect() uses a principal of an associated JS context. It can be circumvented by loading a cross-origin page in that context before nsXMLHttpRequest::OnChannelRedirect() is called. By using this trick, an attacker can read contents and http headers of a target site. Upcoming testcase consists of an html and a cgi script, thus it does not work on bugzilla.mozilla.org. Please set up it in a suitable place.
Jonas, any reason not to just make fx2 do what trunk does here? I.e. just compare the URIs and not bother using the unreliable context pointer here?
Yup, that's what we should do
Jonas can you work up the patch?
Created attachment 325799 [details] [diff] [review] Fix per above comments. This fixes this bug, verified with local install of the testcase.
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. Not sure if we've decided to take more changes for 126.96.36.199, but if we did this would be a good candidate.
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. Approved for 188.8.131.52 and 184.108.40.206, a=dveditz for release-drivers Please land on both branches (MOZILLA_1_8_BRANCH for 220.127.116.11 and GECKO181_20080612_RELBRANCH for 18.104.22.168) and give the bug both fixed22.214.171.124 and fixed126.96.36.199 keywords
Fix landed on both branches.
Verified the bug with Firefox 188.8.131.52 and the fix with the final 184.108.40.206 build (Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:220.127.116.11) Gecko/2008062305 Firefox/18.104.22.168).
I've verified this, again, with : Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en-US; rv:22.214.171.124) Gecko/2008070205 Firefox/126.96.36.199. With 188.8.131.52, I get the data from mozilla.com in great detail. This does not happen in 184.108.40.206.
Comment on attachment 325799 [details] [diff] [review] Fix per above comments. This patch had approval for 220.127.116.11, but apparently the flags got moved out. Clearing that flag to clear the queries.