Here's the second bug from my PacSec presentation, and it's another Firefox one; kudos to the Firefox security team for their responsiveness. It's fixed in the recent 126.96.36.199 and 3.0.5 releases.
It involves, yes, a cross-domain
This particular bug involves Firefox's
One cute twist is that Firefox 3 already had this fixed (thanks to Filipe Almeida; see credit below), but the "302 redirect trick" bypassed that fix. This trick is becoming quite fruitful; see previous Firefox image theft bug.
Credit to Filipe Almeida for being awesome. He was playing with this stuff long before anyone else.