Bug 1864434 Comment 0 Edit History

Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.

Original comment by

Tom Schuster

on 2023-11-13 05:53:38 PST

This was reported on [twitter](https://twitter.com/ankursundara/status/1723410507389129092) by @ankursundara.

We seem to treat the new content loaded by `Content-Type: multipart/x-mixed-replace` like a new load and don't keep the previous `Content-Security-Policy` header. This means that the CSP can be weakened, but only when the attack already controls all headers (actually the whole response).

I think we can either:
- Do nothing
- Look into removing `multipart/x-mixed-replace`
- Removing it only for non-images (MJPEG?)
- Only allow adding new CSP policies

Revision 1 by

Frederik Braun [:freddy]

on 2023-11-13 05:57:32 PST

This was reported on [twitter](https://twitter.com/ankursundara/status/1723410507389129092) by @ankursundara.

We seem to treat the new content loaded by `Content-Type: multipart/x-mixed-replace` like a new load and don't keep the previous `Content-Security-Policy` header. This means that the CSP can be weakened, but only when the attack already controls all headers (actually the whole response).

I think we can either:
1. Do nothing
2. Look into removing `multipart/x-mixed-replace`
3. Removing it only for non-images (MJPEG?)
4. Only allow adding new CSP policies

Back to Bug 1864434 Comment 0