Mozilla Foundation Security Advisory 2012-15
Title: XSS with multiple Content Security Policy
Announced: March 13, 2012
Products: Firefox, Thunderbird, SeaMonkey
Fixed in: Firefox 11.0
Firefox ESR 10.0.3
Thunderbird ESR 10.0.3
Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability.
Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.