The Mozilla Foundation Security Advisory describes this flaw as: Documents formed using data:
URLs in an object
element failed to inherit the CSP of the creating context. This allowed the execution of scripts that should have been blocked, albeit with a unique opaque origin.