Re: Firefox: serious cookie stealing / same-domain bypass vulnerability



On Thu, 15 Feb 2007, 3APA3A wrote:

Mitigating factor: it doesn't work through proxy, because for proxy URI
is sent instead of URL and request will be incomplete.

Yup. Depends on the proxy, actually ('GET http://evil.com' might get
parsed as HTTP/0.9) - but Squid, both in direct and in reverse mode (say,
on Wikipedia), will reject such a request.

Cheers,
/mz