Security researcher Adam Barth found that inline event handlers, such as onclick, were no longer blocked by Content Security Policy's (CSP) inline-script blocking feature. Web applications relying on this feature of CSP to protect against cross-site scripting (XSS) were not fully protected. Reference: http://www.mozilla.org/security/announce/2012/mfsa2012-36.html http://www.w3.org/TR/CSP/
Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges security researcher Adam Barth as the original reporter.
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0710 https://rhn.redhat.com/errata/RHSA-2012-0710.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2012:0715 https://rhn.redhat.com/errata/RHSA-2012-0715.html