Mozilla Foundation Security Advisory 2010-13

Content policy bypass with image preloading

Announced

March 23, 2010

Reporter

Josh Soref, Nokia

Impact

Moderate

Products

Firefox

Fixed in

Firefox 3.6.2

Description

Mozilla developer Josh Soref of Nokia reported that documents failed to call certain security checks when attempting to preload images. Although the image content is not available to the page, it is possible to specify protocols that are normally not allowed in a web page such as file:. This includes internal schemes implemented by add-ons that might perform privileged actions resulting in something like a Cross-Site Request Forgery (CSRF) attack against the add-on. Potential severity would depend on the add-ons installed.

References

https://bugzilla.mozilla.org/show_bug.cgi?id=540642
CVE-2010-0168

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Impact

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2010-13

Content policy bypass with image preloading

Description

References