You are here: Security Center > Mozilla Foundation Security Advisories > MFSA 2012-53

Mozilla Foundation Security Advisory 2012-53

Title: Content Security Policy 1.0 implementation errors cause data leakage
Impact: High
Announced: July 17, 2012
Reporter: Karthikeyan Bhargavan
Products: Firefox, Thunderbird, SeaMonkey

Fixed in: Firefox 14
  Firefox ESR 10.0.6
  Thunderbird 14
  Thunderbird ESR 10.0.6
  SeaMonkey 2.11

Description

Security researcher Karthikeyan Bhargavan of Prosecco at INRIA reported Content Security Policy (CSP) 1.0 implementation errors. CSP violation reports generated by Firefox and sent to the "report-uri" location include sensitive data within the "blocked-uri" parameter. These include fragment components and query strings even if the "blocked-uri" parameter has a different origin than the protected resource. This can be used to retrieve a user's OAuth 2.0 access tokens and OpenID credentials by malicious sites.

References