Security researcher Muneaki Nishimura reported that
navigator.sendBeacon()
does not follow the cross-origin resource
sharing (CORS) specification. This results in the request from
sendBeacon()
lacking an origin
header in violation of
the W3C Beacon specification and not
being treated as a CORS request. This allows for a potential Cross-site request
forgery (XSRF) attack from malicious websites.
In general this flaw cannot be exploited through email in the Thunderbird product because scripting is disabled, but is potentially a risk in browser or browser-like contexts.