Well, "chrome privileged documents" simply refer to documents accessed via a chrome:// URL. Since websites can embed chrome resources, they can be used as an attack vector. Further info on Mozilla's Chrome system:https://developer.mozilla.org/en-US/docs/Mozilla/Tech/XUL/Tutorial/XUL_Structure …
-
-
-
Wait, WHAT? How/why can sites embed chrome:// stuff?
-
That's the key question. I'm still trying to grasp. But that is, what the statement by the German CERT says: https://www.cert-bund.de/advisoryshort/CB-K18-0193 …
-
If that's actually possible, the flaws here are far deeper than this CVE.
-
True.
End of conversation
New conversation -
-
-
Not a Mozilla developer, but it looks like attacker can run JavaScript with the same access to OS as native code. (Firefox's privileged JS API is extensive. ) Vector is hard to say, since this is a general layer of defense to many vectors of XSS attacks.
Thanks. Twitter will use this to make your timeline better. UndoUndo
-
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.