Yangzheng Li

**Name of the Vulnerable Software and Affected Versions** Firefox versions prior to 70 **Description** The issue is related to an object tag with a data URI not correctly inheriting the document's Content Security Policy, allowing a CSP bypass in a cross-origin frame if the document's policy explicitly allows data: URIs. This could potentially allow a remote attacker to gain unauthorized access to confidential data and impact data integrity. **Recommendations** For versions prior to 70, update to version 70 or later to resolve the issue. As a temporary workaround, consider restricting the use of data: URIs in the Content Security Policy to minimize the risk of exploitation.