Created attachment 8847066 [details] PoC User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_3) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Safari/537.36 Steps to reproduce: See PoC. Actual results: Firefox allows setting <base> for sandboxed iframes ignoring the base-uri directive of the parent page. If the iframe does not have the sandbox attribute, the base tag is correctly blocked. Expected results: The base tag should have been blocked respecting the parent document's CSP.
Firefox simply does not propagate CSP to sandboxed iframes because they are in null origin.