This XSS attack only works against certain sites that are using scripts that try to change a parent window's location.href. An attacker can run script with a target site's principal by using location.watch("href", ...) and Object.prototype.__lookup(G|S)etter__ method that came from an xbl compilation scope or a target site's global scope. <marquee id="m"> func = m.init.__lookupGetter__; or <iframe src="target site"> func = frames[0].location.__lookupGetter__; location.watch("href", func); location.__lookupGetter__("href").toString = function() { return "data:text/html,<script> ... </script>"; }; 1. A target site's script executes |top.location.href = foo|. 2. __lookupGetter__("href", undefined, foo) is called on the location object in top window, and it returns the location.href getter function. 3. The href getter function's toString() method is called and returns a data: url. 4. The data: url is loaded with the target site's principal. This affects the trunk, fx2.0.0.1, fx1.5.0.9, fx1.0.8 and moz1.7.13.

The "watch" part reminds me of bug 354978, but that one is fixed now and doesn't do anything to stop these testcases.

Targeting to B1 per conversation with Blake.

Fixed by cross origin wrappers.