Mozilla Foundation Security Advisory 2015-115

Cross-origin restriction bypass using Fetch

Announced

October 15, 2015

Reporter

Abdulrahman Alqabandi

Impact

High

Products

Firefox

Fixed in

Firefox 41.0.2

Description

Security researcher Abdulrahman Alqabandi reported that the fetch() API did not correctly implement the Cross-Origin Resource Sharing (CORS) specification, allowing a malicious page to access private data from other origins. Mozilla developer Ben Kelly independently reported the same issue.

References

Cross-origin restriction bypass using Fetch (CVE-2015-7184)
released fetch() allows full access to body on credentialed cross-origin no-cors request

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2015-115

Cross-origin restriction bypass using Fetch

Description

References