I want to warn you about Cross-Site Scripting vulnerabilities in Mozilla,
Internet Explorer, Opera and Chrome. I wrote about it at my site this Monday
(29.06.2009) and also informed corresponding browsers developers about this
vulnerability.

At 21.04.2009 there was fixed vulnerability in Firefox 3.0.9
(http://www.mozilla.org/security/announce/2009/mfsa2009-22.html), which
allowed to conduct XSS attacks via Refresh header. And as I checked, this
attack is also working in Mozilla, IE6, Opera and Chrome.

XSS:

With request to script at web site:

http://site/script.php?param=javascript:alert(document.cookie)

Which returns in answer the refresh header:

refresh: 0; URL=javascript:alert(doc ... Read more »