Mozilla Foundation Security Advisory 2015-03

sendBeacon requests lack an Origin header

Announced
January 13, 2015
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox, Firefox ESR, Firefox OS, SeaMonkey, Thunderbird
Fixed in
  • Firefox 35
  • Firefox ESR 31.4
  • Firefox OS 2.2
  • SeaMonkey 2.32
  • Thunderbird 31.4

Description

Security researcher Muneaki Nishimura reported that navigator.sendBeacon() does not follow the cross-origin resource sharing (CORS) specification. This results in the request from sendBeacon() lacking an origin header in violation of the W3C Beacon specification and not being treated as a CORS request. This allows for a potential Cross-site request forgery (XSRF) attack from malicious websites.

In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.

References