Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)

From: Michal Zalewski <>
To: bugtraq <>,full-disclosure <>
Subject: Firefox 3.6.13 pseudo-URL SOP check bug (CVE-2010-3774)

Hi folks,

Firefox 3.6.13 fixes an interesting bug in their same-origin policy
logic for pseudo-URLs that do not have any inherent origin associated
with them. These documents are normally expected to inherit the
context from their parent, or be assigned a unique one. This didn't
work as expected in Firefox, apparently due to a code refactoring in
2008. The vulnerability permits malicious websites to access and
modify the contents of special pages such as about:neterror or
about:config, which has consequences ranging from content spoofing to
complete subversion of the browser security model.

More info:
Whimsical PoC:

PS. I posted a couple of probably interesting browser security
write-ups on my blog of recent, recapping the status quo in areas such
as HTTP cookie security. Some readers might find them interesting /
useful - say:


Copyright © 1995-2018 All rights reserved.