Mozilla Foundation Security Advisory 2015-03
sendBeacon requests lack an Origin header
- Announced
- January 13, 2015
- Reporter
- Muneaki Nishimura
- Impact
- Moderate
- Products
- Firefox, Firefox ESR, Firefox OS, SeaMonkey, Thunderbird
- Fixed in
-
- Firefox 35
- Firefox ESR 31.4
- Firefox OS 2.2
- SeaMonkey 2.32
- Thunderbird 31.4
Description
Security researcher Muneaki Nishimura reported that
navigator.sendBeacon()
does not follow the cross-origin resource
sharing (CORS) specification. This results in the request from
sendBeacon()
lacking an origin
header in violation of
the W3C Beacon specification and not
being treated as a CORS request. This allows for a potential Cross-site request
forgery (XSRF) attack from malicious websites.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.