- Only the GET request method seems to be affected. There does not appear to be any mechanism to submit POST data.
- If the user's browser is configured to not submit Referer information (e.g., network.http.sendRefererHeader=0), these attacks obviously do nothing.
- The attack will fail if the user forcibly kills the browser, turns off her machine or severs her Internet connection before dismissing the dialog box.
- The examples use dynamically generated iframe for demonstration purposes. These attacks work equally as well for static pages or top level content (e.g., sample using meta refresh [source]). Unfortunately, it is not as stealthy.
- The meta refresh approach is most desirable, because the initial request is submitted without any referer information making the attack more difficult to detect.
- These examples use intentionally goofy text. A real attack would use more appropriate text.
- Invoking the "Joke Method" twice in a row crashes MineField/3.0a9pre.
November 27th, 2007