[Full-disclosure] Firefox: serious cookie stealing / same-domain bypass vulnerability
lcamtuf at dione.ids.pl
Thu Feb 15 13:09:56 GMT 2007
On Thu, 15 Feb 2007, 3APA3A wrote:
> Mitigating factor: it doesn't work through proxy, because for proxy URI
> is sent instead of URL and request will be incomplete.
Yup. Depends on the proxy, actually ('GET http://evil.com' might get
parsed as HTTP/0.9) - but Squid, both in direct and in reverse mode (say,
on Wikipedia), will reject such a request.
Full-Disclosure is hosted and sponsored by Secunia.