You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-15

Mozilla Foundation Security Advisory 2012-15

Title: XSS with multiple Content Security Policy headers
Impact: Moderate
Announced: March 13, 2012
Reporter: Mike
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 11.0
  Firefox ESR 10.0.3
  Thunderbird 11.0
  Thunderbird ESR 10.0.3
  SeaMonkey 2.8

Description

Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.

References