Mozilla Foundation Security Advisory 2012-36

Content Security Policy inline-script bypass

Announced
June 5, 2012
Reporter
Adam Barth
Impact
High
Products
Firefox, Firefox ESR, SeaMonkey, Thunderbird, Thunderbird ESR
Fixed in
  • Firefox 13
  • Firefox ESR 10.0.5
  • SeaMonkey 2.10
  • Thunderbird 13
  • Thunderbird ESR 10.0.5

Description

Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected.

References