Endpoint Vulnerability

CSP not applied to pages sent with multipart/x-mixed-replace

Description

Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to a failure to prevent potential cross-site scripting (XSS) and other attacks against the web page.

Affected Products

Firefox

References

CVE-2016-2816,