According to Cisco Talos researcher Nicolai Grødum, the vulnerability can be classified as a bypass of the Content Security Policy (CSP), a mechanism that allows website developers to configure HTTP headers and instruct the browsers of people visiting their site what resources (JavaScript, CSS) they can load and from where. The Content Security Policy (CSP) is one of the tools that browsers use to enforce Same-Origin Policy (SOP) inside browsers.
Grødum says that he found a way to bypass CSP — technical details available here — that will allow an attacker to load malicious JavaScript code on a remote site and carry out intrusive operations such as collecting information from users’ cookies, or logging keystrokes inside the page’s forms, and others.
Summarizing, Edge users are still vulnerable to this flaw, while users employing Google Chrome 57.0.2987.98, iOS 10.3, and Safari 10.1 or later are all protected. Firefox is not affected.
