WYCIWYG

WYCIWYG is an acronym that stands for What You Cache Is What You Get, commonly displayed in the address bar of Gecko-based Web browsers like Mozilla Firefox as wyciwyg:// when the Web browser is retrieving cached information.

Usage

Mozilla Firefox implements a unique, strictly internal wyciwyg:// pseudo-URI scheme to sort and later reference locally cached pages that were generated or modified by a script on the client side (a common practice for Web 2.0 sites).^[1]

Security Issues

Michal Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It is possible to access wyciwyg:// documents without proper same domain policy checks through the use of HTTP 302 redirects. This enables the attacker to steal sensitive data displayed on dynamically generated pages; perform cache poisoning; and execute own code or display own content with URL bar and SSL certificate data of the attacked page (URL spoofing).^[2]

This security issue was announced on 17 July 2007 as a high vulnerability and was fixed in Firefox 2.0.0.5 and SeaMonkey 1.1.3.

References

• Bugzilla entry bug #387333 - [FIX]unauthorized access to wyciwyg:// documents possible

v t e URI scheme Official aaa aaas acap cap cid crid data dav dict dns fax file ftp geo go gopher h323 http https im imap info ldap mailto mid news nfs nntp pop rsync pres rtsp sip sips snmp tag tel telnet urn wais xmpp Unofficial about afp aim apt bolo bzr callto coffee cvs daap dsnp ed2k feed fish gg git gizmoproject iax2 irc ircs itms ldaps magnet mms msnim postal2 secondlife skype spotify ssh svn sftp smb sms steam view-source webcal winamp wyciwyg xfire ymsgr Protocol list