Mozilla developer Christoph Kerschbaumer discovered an issue
while investigating Mozilla
Foundation Security Advisory 2015-03, previously reported by security
researcher Muneaki Nishimura. This flaw was that a cross-origin
resource sharing (CORS) request should not follow 30x redirections after
preflight according to the specification. This only affects
sendBeacon()
requests but could allow for a potential Cross-site
request forgery (XSRF) attack from malicious websites.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.