Content Security Policy (CSP) is not applied correctly to all parts of multipart content sent with the `multipart/x-mixed-replace` MIME type. This could allow for script to run where CSP should block it, allowing for cross-site scripting (XSS) and other attacks. External Reference: https://www.mozilla.org/en-US/security/advisories/mfsa2018-11/#CVE-2018-5164
Acknowledgments: Name: the Mozilla project Upstream: Khalil Zhani