When protecting CSS blocks with the nonce feature of Content Security Policy, the @import statement in the CSS block could allow an attacker to inject arbitrary styles, bypassing the intent of the Content Security Policy.
Name: the Mozilla project
Upstream: Matheus Vrech
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):