Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript.
Event handlers on marquee elements were executed despite a strict Content Security Policy (CSP) that disallowed inline JavaScript.
https://www.mozilla.org/en-US/security/advisories/mfsa2016-94/#CVE-2016-9895