Mozilla Foundation Security Advisory 2016-45

CSP not applied to pages sent with multipart/x-mixed-replace

Announced
April 26, 2016
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 46

Description

Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to a failure to prevent potential cross-site scripting (XSS) and other attacks against the web page.

References