Affecting Wildcard in CSP policy directives no longer allows blob:, data: and filesystem: resources

Published: | Categories: Privacy & Security


Firefox was incorrectly allowing resources from the blob:, data: and filesystem: URLs when an asterisk wildcard (*) was used in CSP policy directives. This behaviour has been fixed with Firefox 40. So far, CNN, Facebook, FastMail and WhatsApp are known to be affected from this change, because those sites have img-src: * in their directives while using data: URLs to show images. The solution of this is explicitly adding data: to the appropriate directive.