Security researcher Muneaki Nishimura (nishimunea) of Recruit
Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied
correctly to web content sent with the multipart/x-mixed-replace
MIME type.
This allows for script to run in instances where CSP should block it, leading to a failure
to prevent potential cross-site scripting (XSS) and other attacks against the web page.