firefox is vulnerable to arbitrary code execution. The vulnerability exists as the srcdoc
content with an iframe
has a sandbox
attribute, fails to inherit the containing page’s Content Security Policy (CSP) as it should unless the sandbox attribute included allow-same-origin
.