Mozilla Firefox CVE-2015-4490 Cross Site Scripting Vulnerability
Description
Mozilla security engineer Christoph Kerschbaumer reported a discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification states that blob:, data:, and filesystem: URLs should be excluded in case of a wildcard when matching source expressions but Mozilla's implementation allows these in the case of an asterisk wildcard. This could allow for more permissive CSP usage than expected by a web developer, possibly allowing for cross-site scripting (XSS) attacks.
Affected Applications
Firefox