1.9.1 branch has a similar problem to bug 584180. On 1.9.1, SJOW creates a scripted function that can be abused. If a scripted function's parent is an outer window, an array that is created in that function comes from a current inner window.
Created attachment 463776 [details] testcase This tries to get cookies for www.apple.com. This works on 1.9.1.
Created attachment 464682 [details] [diff] [review] Patch
Assignee: nobody → mrbkap
Status: NEW → ASSIGNED
Attachment #464682 - Flags: review?(jst)
Comment on attachment 464682 [details] [diff] [review] Patch I don't actually know what release this should go in.
Attachment #464682 - Flags: approval18.104.22.168?
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
status1.9.2: --- → unaffected
status2.0: --- → unaffected
Comment on attachment 464682 [details] [diff] [review] Patch a=LegNeato for 22.214.171.124
Attachment #464682 - Flags: approval126.96.36.199? → approval188.8.131.52+
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
status1.9.1: wanted → .12-fixed
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.