Adobe security researcher Peleus Uhley reported that when plugin-initiated requests receive a 307 redirect response, the plugin is not notified and the request is forwarded to the new location. This is true even for cross-site redirects, so any custom headers that were added as part of the initial request would be forwarded intact across origins. This poses a CSRF risk for web applications that rely on custom headers only being present in requests from their own origin.
This is now public: http://www.mozilla.org/security/announce/2011/mfsa2011-10.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2011:0310 https://rhn.redhat.com/errata/RHSA-2011-0310.html
This issue has been addressed in following products: Red Hat Enterprise Linux 4 Via RHSA-2011:0313 https://rhn.redhat.com/errata/RHSA-2011-0313.html