This vulnerability is with regards to how easy it is to create a XSS + worm + phishing attack without necessarily triggering a non-technical user's security alarm. This could become a common attack vector at any point in time.
1. Create a Facebook group, 'Get $25 from $BANK'. (This works for any social networking site.)
3. Use your new access to help promote the group in a worm-style manner, in a TRUSTED ENVIRONMENT: "Your friend Joe Smith has invited you to join the group, 'Get $25 from $BANK'."
Non-malicious examples of 1-3 in the wild:
5. Use the script loader to load http://www.example.com/maliciousscript.js which mutates the DOM (blows everything away)--without making a page request--and turns it into a phishing site.
*** <FIXABLE PROBLEM> ***
*** </FIXABLE PROBLEM> ***
7. Steal usernames and passwords from thousands of people. Profit.
I've reported this issue to Mozilla as well, bug 527530.
Can you say concretely what change you'd like us to make?
Also, can you CC email@example.com to the Mozilla bug so we can coordinate our response? Thanks.
Nevermind, I see that Mozilla has made this issue public. I'm doing the same here.
The change I am suggesting:
I'm sorry, but that's not a bug in WebKit. The embedder (Safari) controls whether to reset the location bar. For example, Chrome uses WebKit and does reset the location bar. You should file a bug here: