You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-36

Mozilla Foundation Security Advisory 2012-36

Title: Content Security Policy inline-script bypass
Impact: High
Announced: June 5, 2012
Reporter: Adam Barth
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 13.0
  Firefox ESR 10.0.5
  Thunderbird 13.0
  Thunderbird ESR 10.0.5
  SeaMonkey 2.10


Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected.