WYCIWYG
Encyclopedia
WYCIWYG is an acronym that stands for What You Cache Is What You Get, commonly displayed in the address bar of Gecko
-based Web browser
s like Mozilla Firefox
as wyciwyg:// when the Web browser
is retrieving cached
information.
reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302
redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing).
This security issue was announced on 17 July 2007 as a high vulnerability and was fixed in Firefox 2.0.0.5 and SeaMonkey
1.1.3.
Gecko (layout engine)
Gecko is a free and open source layout engine used in many applications developed by Mozilla Foundation and the Mozilla Corporation , as well as in many other open source software projects....
-based Web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
s like Mozilla Firefox
Mozilla Firefox
Mozilla Firefox is a free and open source web browser descended from the Mozilla Application Suite and managed by Mozilla Corporation. , Firefox is the second most widely used browser, with approximately 25% of worldwide usage share of web browsers...
as wyciwyg:// when the Web browser
Web browser
A web browser is a software application for retrieving, presenting, and traversing information resources on the World Wide Web. An information resource is identified by a Uniform Resource Identifier and may be a web page, image, video, or other piece of content...
is retrieving cached
Web cache
A web cache is a mechanism for the temporary storage of web documents, such as HTML pages and images, to reduce bandwidth usage, server load, and perceived lag...
information.
Usage
Mozilla Firefox implements a unique, strictly internal wyciwyg:// pseudo-URI scheme to sort and later reference locally cached pages that were generated or modified by a script on the client side (a common practice for Web 2.0 sites).Security Issues
Michal ZalewskiMichal Zalewski
Michał Zalewski , also known by the user name lcamtuf, is a "white hat" hacker, computer security expert from Poland and a Google Inc. employee....
reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302
HTTP 302
The HTTP response status code 302 Found is the most common way of performing a redirection.It is an example of industry practice contradicting the standard HTTP/1.0 specification , which required the client to perform a temporary redirect , but popular browsers implemented it as a 303 See Other , i.e...
redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing).
This security issue was announced on 17 July 2007 as a high vulnerability and was fixed in Firefox 2.0.0.5 and SeaMonkey
SeaMonkey
SeaMonkey is a free and open source cross-platform Internet suite. It is the continuation of the former Mozilla Application Suite, based on the same source code...
1.1.3.