Download Firefox

Firefox is no longer supported on Windows 8.1 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox is no longer supported on macOS 10.14 and below.

Please download Firefox ESR (Extended Support Release) to use Firefox.

Firefox Privacy Notice

Mozilla Foundation Security Advisory 2016-60

Java applets bypass CSP protections

Announced
June 7, 2016
Reporter
Matt Wobensmith
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 47

Description

Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.

References