What is a cross-site E4X hijacking attack?

[luntrus]

Hi forum friends,

I went here: http://popwatch.ew.com/2009/10/14/john- ... nniversar/
I saw this in the error console:
Error: [Exception... "'NoScript aborted redirection to http://img2-short.timeinc.net/ew/static ... .js?ver=MU' when calling method: [nsIChannelEventSink::onChannelRedirect]" nsresult: "0x8057001e (NS_ERROR_XPC_JS_THREW_STRING)" location: "<unknown>" data: no]
====================
[NoScript] Potential cross-site E4X hijacking detected and blocked (http://www.ew.com/ew/js/main/0,,,00.js?ver=MU)

The site, that one at popwatch gives me a ghostery alert for 6 trackers, yes 6...

AddThis
QuantCast
Quigo AdSonar
Revenue Science
Tacoda
Wordpress Stats

RequestPolicy report a secret link from Wordpress.com to TimeInc.net

Just was curious enough to look under the hood, found this as background info:
http://www.thespanner.co.uk/2009/02/24/ ... hijacking/

luntrus

[Giorgio Maone]

E4X support may theoretically be exploited to read the content of XHTML documents cross-domain by using a <script> element, violating the same domain policy.
Thereofore NoScript blocks any markup document being loaded as a script.
In this case, though, this feature has been triggered because the original script request has been redirected using a non-empty XHTML response, instead of just the header.
This is not a correct behavior by the server, IMHO, however I'm changing hijack checks to work on final non-error responses only (i.e. 2xx status codes), rather than trigger on error or redirection pages like in this case.