Mozilla Foundation Security Advisory 2015-91
Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
- August 11, 2015
- Christoph Kerschbaumer
- Firefox, SeaMonkey
- Fixed in
- Firefox 40
- SeaMonkey 2.38
Mozilla security engineer Christoph Kerschbaumer reported a
discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification
URLs should be excluded in case of a wildcard when matching source expressions
but Mozilla's implementation allows these in the case of an asterisk wildcard.
This could allow for more permissive CSP usage than expected by a web developer,
possibly allowing for cross-site scripting (XSS) attacks.