|This article needs additional citations for verification. (September 2012)|
WYCIWYG is an acronym that stands for What You Cache Is What You Get, commonly displayed in the address bar of Gecko-based Web browsers like Mozilla Firefox as wyciwyg:// when the Web browser is retrieving cached information.
The term WYCIWYG is a play on the acronym WYSIWYG ("What You See Is What You Get").
Mozilla Firefox implements an unregistered, strictly internal wyciwyg:// URI scheme to sort and later reference locally cached pages that were generated or modified by a script on the client side (a common practice for Web 2.0 sites).
In 2007 Michał Zalewski reported that it was possible to bypass the same-origin checks and read from cached (wyciwyg) documents. It was possible at that time to access wyciwyg:// documents without proper same domain policy checks. This could have enabled an attacker to steal sensitive data, perform cache poisoning and execute their own code or display own content with URL bar and SSL certificate data of the original page (URL spoofing). This was fixed in Firefox 126.96.36.199 and SeaMonkey 1.1.3.
- Firefox wyciwyg:// cache vulnerability demo – Michal Zalewski
- Mozilla Foundation Security Advisory 2007-24: Unauthorized access to wyciwyg:// documents