Mozilla Foundation Security Advisory 2016-60
Java applets bypass CSP protections
- June 7, 2016
- Matt Wobensmith
- Fixed in
- Firefox 47
Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.