2018-06-11 21:00:00
mozilla
PUBLISHED
A mechanism to bypass Content Security Policy (CSP) protections on sites that have a "script-src" policy of "strict-dynamic". If a target website contains an HTML injection flaw an attacker could inject a reference to a copy of the "require.js" library that is part of Firefoxs Developer Tools, and then use a known technique using that library to bypass the CSP restrictions on executing injected scripts. This vulnerability affects Firefox < 60.