Mozilla Foundation Security Advisory 2014-86

CSP leaks redirect data via violation reports

Announced

December 2, 2014

Reporter

Muneaki Nishimura

Impact

High

Products

Firefox, Firefox OS, SeaMonkey

Fixed in

Firefox 34
Firefox OS 2.2
SeaMonkey 2.31

Description

Security researcher Muneaki Nishimura discovered that Content Security Policy (CSP) violation reports triggered by a redirect did not remove path information as required by the CSP specification. This potentially reveals information about the redirect that would not otherwise be known to the original site. This could be used by a malicious site to obtain sensitive information such as usernames or single-sign-on tokens encoded within the target URLs.

This issue did not affect versions prior to Firefox 33.

References

CSP violation report contains sensitive data of other origin after redirect (CVE-2014-1591)

Firefox for Desktop

Firefox for Android

Firefox for iOS

Firefox Focus

Firefox Blog

Release Notes

Mozilla Monitor

Facebook Container

Pocket

Mozilla VPN

Firefox Relay

MDN Plus

Fakespot

Mozilla Manifesto

Mozilla Foundation

Leadership

Get involved

Careers

Mozilla Blog

Firefox Developer Edition

MDN Web Docs

Mozilla Innovation Projects

Common Voice

Mozilla Foundation Security Advisory 2014-86

CSP leaks redirect data via violation reports

Description

References