Mozilla engineer Matt Wobensmith reported that Content Security Policy (CSP) does not block the loading of cross-domain Java applets when specified by policy. This is because the Java applet is loaded by the Java plugin, which then mediates all network requests without checking against CSP. This could allow a malicious site to manipulate content through a Java applet to bypass CSP protections, allowing for possible cross-site scripting (XSS) attacks. External Reference: https://www.mozilla.org/security/announce/2016/mfsa2016-60.html Acknowledgements: Name: the Mozilla project Upstream: Matt Wobensmith Statement: This issue does not affect the version of firefox and thunderbird as shipped with Red Hat Enterprise Linux 5, 6 and 7.
This issue is now public at: https://www.mozilla.org/en-US/security/advisories/mfsa2016-60/