Mozilla Firefox prior to 46.0 allows remote malicious users to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type.
Mozilla Foundation Security Advisory 2016-45
CSP not applied to pages sent with multipart/x-mixed-replace
Announced
April 26, 2016
Reporter
Muneaki Nishimura
Impact
Moderate
Products
Firefox
Fixed in
...
Mozilla Firefox before 460 allows remote attackers to bypass the Content Security Policy (CSP) protection mechanism via the multipart/x-mixed-replace content type ...