It was reported [1],[2] that Firefox suffers from a Drag-and-Drop XSS flaw. This could allow for the execution of unwanted javascript by copying and pasting it in the address bar, or by dragging and dropping it onto a web page. Two methods were identified: bypass via letter capitalization and another by use of the feed protocol (the latter does not seem to affect Firefox 3.6.x which reports that the URL is not valid and cannot be loaded). The upstream bug is currently private and a fix is currently unavailable. [1] http://soroush.secproject.com/blog/2011/12/drag-and-drop-xss-in-firefox-by-html5-cross-domain-in-frames/ [2] https://bugzilla.mozilla.org/show_bug.cgi?id=704354
*** This bug has been marked as a duplicate of bug 803119 ***