Patch is ready for sec-approval process. Note: although this bug is rated sec-high, I think that it is actually sec-moderate, as its impact is similar to bug 1432358 which was also rated sec-moderate. The impact of this bug is limited to websites that already have a HTML injection/XSS vulnerability. Web authors may use CSP with the expectation that they'd mitigate the impact of XSS. Due to the reported bug, the CSP "strict-dynamic" directive can be bypassed. Websites that do not use strict-dynamic, but e.g. an allowlist of permitted hosts are still safe.
Bug 1909241 Comment 7 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Patch is ready for sec-approval process. Note: although this bug is rated sec-high, I think that it is actually sec-moderate, as its impact is similar to bug 1432358 which was also rated sec-moderate. The impact of this bug is limited to websites that already have a HTML injection/XSS vulnerability. Web authors may use CSP with the expectation that they'd mitigate the impact of XSS. Due to the reported bug, the CSP "strict-dynamic" directive can be bypassed. Websites that do not use strict-dynamic, but e.g. an allowlist of permitted hosts are still safe. EDIT: I chatted with Dan - this is borderline sec-high instead of sec-moderate because CSP strict-dynamic feature is more widely deployed now.