> To bypass protection from JavaScript code execution via refresh header it's > needed to use data: URI, which will be containing requisite JS code. > [...] After I informed Mozilla, they declined to fix this vulnerability. "Refresh" or "Location" redirection in Firefox will not bestow a security context derived from the referring site upon the executed code. This is different from the behavior on javascript: URLs. Granted, it and also somewhat counterintuitive, as other types of data: navigation - e.g., link navigation, IFRAMEd content, location.* updates - do inherit that context. This means that there is nothing to be gained by redirecting to data: through www.example.com; he could as well just redirect to his own site and run any potentially malicious JavaScript there. /mz
