--- layout: post status: publish published: true title: Firefox 3 disallows cross-site XBL wordpress_id: 256 wordpress_url: http://pro.grammatic.org/post-firefox-3-disallows-crosssite-xbl-45.aspx date: !binary |- MjAwOC0wMi0yOCAxNTo0MDo0NSArMDEwMA== date_gmt: !binary |- MjAwOC0wMi0yOCAxNTo0MDo0NSArMDEwMA== categories: - Technology - InfoSec tags: - information security - XBL - offsite - Firefox 3 comments: [] ---
Well, I decided to play around a little with Firefox 3 Beta 3 today and discovered that it looks like the ever popular -moz-binding css attribute is now rendered a little less useful. It is now impossible to load off-site XBL via this method.
However, all is not lost. For in patching one of the biggest holes in Firefox's security model, the infinite wisdom of the FF devs is that it is now possible to embed a -moz-binding URL tag inline, like this:
{% highlight html %} {% endhighlight %}Using this method provides for no use of a fragment identifier, indeed it is only possible to use the first element. The above XBL decodes to:
{% highlight xml %}which essentially creates a nice new DOM script element that loads alert.js.