A content security policy (CSP) with a directive containing origins with paths in frame-ancestors allows for comparisons against those paths instead of the origin. This results in a cross-origin information leak of this path information. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2017-18/#CVE-2017-7808 Acknowledgements: Name: the Mozilla project Upstream: Jun Kokatsu