Security researcher Muneaki Nishimura (nishimunea) of Recruit Technologies Co., Ltd. reported that Content Security Policy (CSP) is not applied correctly to web content sent with the multipart/x-mixed-replace MIME type. This allows for script to run in instances where CSP should block it, leading to a failure to prevent potential cross-site scripting (XSS) and other attacks against the web page. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-45.html
Acknowledgments: Name: the Mozilla project Upstream: Muneaki Nishimura