Created attachment 585220 [details]
Simple example implementation of the attack (Python 3.x)
User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11
Steps to reproduce:
Create a web server that serves an image including an Authorization header; records all usernames and passwords, serves the image in any case.
Then embed the image in a website that allows it (a forum, webchat, wikipedia).
Firefox displays a popup prompting the user to enter a username and password. A user doesn't realise it's a foreign popup, enters their username/password for the site embedding the image, the attacker now knows their credentials, everything looks normal again.
Firefox should not display the Authorization popup if the resource doesn't have the same origin as the embedding page.
*** This bug has been marked as a duplicate of bug 647010 ***