Mozilla Foundation Security Advisory 2016-60

Java applets bypass CSP protections

Announced
June 7, 2016
Reporter
Matt Wobensmith
Impact
Moderate
Products
Firefox
Fixed in
  • Firefox 47

Description

Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks.

References