You see, yesterday, a cryptically titled post, "IFrames and URL Stringency", appeared on their official blog. I am quoting one of the key paragraphs here:
"The URL obfuscation is a big stringency in the online world. Actually, it tests the browser efficiency to dissect the behavior of crafted URL. That has to be done. The browsers have shown falsified behavior in determining the source and destination of URL's when it is obfuscated or fused with meta characters. This is dangerous from a user perspective because a victim can go to undesired destination. Well, lot of changes have been noticed in browser development with respect to that but in certain conditions , browsers still fail to find the authentic nature of URL's being rendered in the browser."
The nearly incomprehensible post reminds me of the writings of Gene Ray - but thankfully, it eventually references Mozilla bug 570658. From this bug, it quickly becomes evident that the problem is a wonderful non-issue - and this should be apparent to any layperson willing to actually try and understand the alleged flaw.
In essence, several years ago, Firefox opted to display a warning when the top-level document is navigated to URLs that happen to contain embedded HTTP authentication credentials. They did this to combat the surge of phishing attacks against non-technical audiences, using misleading URLs such as:
While the decision to cripple HTTP authentication is somewhat contentious, the step clearly has some merit: the more RFCs you need to read to understand the contents of the address bar, the less likely you are to get it right.
Aditya's complaint in the aforementioned bug is very simple, and boils down to the observation that Firefox employs this warning only for the top-level document - but does not apply this logic to subresources such as IFRAMEs. If you think about it for five seconds or so, it's painfully evident why: there is simply no need to do so. The URLs of these subresources are never displayed in the address bar, and therefore, there is no opportunity to confuse the user in any way. There is no reasonable attack scenario where this would matter. It's common sense, too: you don't need to be able to tell a buffer overflow from a format string vulnerability to understand why.
That's where the story should end. It did not:
Are some of the editors really so dependent on PR wires that it becomes prohibitively difficult for them to verify stories on their own - or even ping a trusted researcher over IM, for that matter? I always wondered; now, I sadly think I have the answer.