| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 3 Jul 2009 10:07:20 -0700 From: Michal Zalewski <lcamtuf@...edump.cx> To: MustLive <mustlive@...security.com.ua> Cc: bugtraq@...urityfocus.com Subject: Re: Cross-Site Scripting vulnerabilities in Mozilla, Internet Explorer, Opera and Chrome > refresh: 0; URL=javascript:alert(document.cookie) > The code will work in context of this site. ...which happens to be covered here for half a year or so: http://code.google.com/p/browsersec/wiki/Part2#Redirection_restrictions I can't see how this could be a vulnerability per se, although changing the behavior offers an additional, if small, degree of protection in case of security lapses in web applications, so it's a reasonable improvement. Cheers, /mz
Powered by blists - more mailing lists