XSS with multiple Content Security Policy headers
- March 13, 2012
- Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
- Fixed in
- Firefox 11
- Firefox ESR 10.0.3
- SeaMonkey 2.8
- Thunderbird 11
- Thunderbird ESR 10.0.3
Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability.
Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.