Any updates on this? Also why is CVE-2015-4490 (Mozilla Content Security Policy allows for asterisk wildcards in violation of CSP specification, Bug 1086999) sec-moderate, while this is sec-low? For that bug, it's also trivial for attackers to bypass CSP since it accepts arbitrary hosts. That's said, I don't really object to assign this bug sec-low, but I'm just curious to know if there's more reason.
Bug 1388015 Comment 4 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
Any updates on this?