You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-15

Mozilla Foundation Security Advisory 2012-15

Title: XSS with multiple Content Security Policy headers
Impact: Moderate
Announced: March 13, 2012
Reporter: Mike
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 11.0
  Firefox ESR 10.0.3
  Thunderbird 11.0
  Thunderbird ESR 10.0.3
  SeaMonkey 2.8


Security Researcher Mike Brooks of Sitewatch reported that if multiple Content Security Policy (CSP) headers are present on a page, they have an additive effect page policy. Using carriage return line feed (CRLF) injection, a new CSP rule can be introduced which allows for cross-site scripting (XSS) on sites with a separate header injection vulnerability.

Firefox 3.6 and Thunderbird 3.1 are not affected by this vulnerability.