CSP not applied to pages sent with multipart/x-mixed-replace
- April 26, 2016
- Muneaki Nishimura
- Fixed in
- Firefox 46
Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied
correctly to web content sent with the
multipart/x-mixed-replace MIME type.
This allows for script to run in instances where CSP should block it, leading to a failure
to prevent potential cross-site scripting (XSS) and other attacks against the web page.