Security researcher cgvwzq reported that it is possible to read
cross-origin URLs following a redirect if performance.getEntries() is used
along with an iframe to host a page. Navigating back in history through script, content is
pulled from the browser cache for the redirected location instead of going to the original
location. This is a same-origin policy violation and could allow for data theft.
This issue affects other browsers as well and is not limited to Mozilla products.
Vulmon