Mozilla Foundation Security Advisory 2015-91
Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification
- Announced
- August 11, 2015
- Reporter
- Christoph Kerschbaumer
- Impact
- Moderate
- Products
- Firefox, SeaMonkey
- Fixed in
-
- Firefox 40
- SeaMonkey 2.38
Description
Mozilla security engineer Christoph Kerschbaumer reported a
discrepancy in Mozilla's implementation of Content Security Policy and the CSP specification. The specification
states that blob:
, data:
, and filesystem:
URLs should be excluded in case of a wildcard when matching source expressions
but Mozilla's implementation allows these in the case of an asterisk wildcard.
This could allow for more permissive CSP usage than expected by a web developer,
possibly allowing for cross-site scripting (XSS) attacks.