The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation. Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 do not properly handle the interaction between FRAME elements and history, which allows remote attackers to conduct cross-site scripting (XSS) attacks via vectors involving spoofing a relative location in a previously visited document. Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.
Some Gecko-based browsers may not opt into using this token for this reason, sniffers should be looking for Gecko - not Firefox! firefoxversion will generally represent the equivalent Firefox release corresponding to the given Gecko version. Firefox/firefoxversion is an optional compatibility token that some Gecko-based browsers may choose to incorporate, to achieve maximum compatibility with websites that expect Firefox.For instance, this could be " Camino/2.1.1", or " SeaMonkey/2.7.1". appname/appversion indicates the application name and version.Mozilla/5.0 (platform rv:geckoversion) Gecko/geckotrail appname/appversion Mozilla/5.0 (platform rv:geckoversion) Gecko/geckotrail Firefox/firefoxversion appname/appversion Note: The recommended way of sniffing for Gecko-based browsers (if you have to sniff for the browser engine instead of using feature detection) is by the presence of the " Gecko" and " rv:" strings, since some other browsers include a " like Gecko" token.įor other products based on Gecko, the string can take one of two forms, where the tokens have the same meaning except those noted below: Experimental Feature-Policy: xr-spatial-tracking.Experimental Non-Standard Feature-Policy: unsized-media.Experimental Non-Standard Feature-Policy: unoptimized-images.Experimental Feature-Policy: speaker-selection.Experimental Feature-Policy: screen-wake-lock.Experimental Feature-Policy: publickey-credentials-get.Experimental Feature-Policy: picture-in-picture.Experimental Non-Standard Feature-Policy: oversized-images.Experimental Feature-Policy: microphone.Experimental Feature-Policy: magnetometer.Experimental Non-Standard Feature-Policy: legacy-image-formats.Experimental Non-Standard Feature-Policy: layout-animations.Experimental Feature-Policy: geolocation.Experimental Feature-Policy: fullscreen.Experimental Feature-Policy: encrypted-media.Experimental Feature-Policy: document-domain.Experimental Feature-Policy: display-capture.Experimental Feature-Policy: ambient-light-sensor.Experimental Feature-Policy: accelerometer.Reason: CORS preflight channel did not succeed.Reason: CORS header 'Origin' cannot be added.Reason: Credential is not supported if the CORS header 'Access-Control-Allow-Origin' is '*'.Reason: Multiple CORS header 'Access-Control-Allow-Origin' not allowed.Reason: CORS header 'Access-Control-Allow-Origin' missing.Reason: missing token 'xyz' in CORS header 'Access-Control-Allow-Headers' from CORS preflight channel.Reason: expected 'true' in CORS header 'Access-Control-Allow-Credentials'.Reason: Did not find method in CORS header 'Access-Control-Allow-Methods'.