1.68 KB, text/plain
Created attachment 585220 [details] Simple example implementation of the attack (Python 3.x) User Agent: Mozilla/5.0 (X11; Linux i686) AppleWebKit/535.11 (KHTML, like Gecko) Chrome/17.0.963.12 Safari/535.11 Steps to reproduce: Create a web server that serves an image including an Authorization header; records all usernames and passwords, serves the image in any case. Then embed the image in a website that allows it (a forum, webchat, wikipedia). Actual results: Firefox displays a popup prompting the user to enter a username and password. A user doesn't realise it's a foreign popup, enters their username/password for the site embedding the image, the attacker now knows their credentials, everything looks normal again. Expected results: Firefox should not display the Authorization popup if the resource doesn't have the same origin as the embedding page.