(In reply to Daniel Veditz [:dveditz] from comment #7) > (In reply to Ryan VanderMeulen [:RyanVM] from comment #6) > > Is there anything we can do to mitigate this on ESR68? > > _This_ bug is not that bad: we can live with it on ESR68 in my opinion. We seem to have a slightly worse bug which _does_ inherit the origin and works against a strong CSP of `default-src 'none'` that we might want to get into ESR 68. `<object data=javascript:alert(1)>` as reported at https://twitter.com/abrasaxor/status/1182828876877238273 (I thought we had a report for this, but searching for either "vrech" nor "abrasax" on bugzilla doesn't get me any results)
Bug 1441468 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
~We seem to have a slightly worse bug which _does_ inherit the origin and works against a strong CSP of `default-src 'none'` that we might want to get into ESR 68.~ Nevermind. That one is bug 1587976 and does not affect ESR 68.