Gareth Hayes points out in: http://www.thespanner.co.uk/2009/11/23/bypassing-csp-for-fun-no-profit/ that sites which have a JSON or script feed that is being properly sanitized for metacharacters such as '<' and '>', can still be vulnerable to script injection by an attacker that includes charset="utf-7" in the injected script tag. Have we considered not honoring the charset attribute in script tags unless it matches the charset in the Content-Type sent by the server?

Removing UTF-7 support entirely (bug 414064) would fix this bus as well, I suppose.

Fixing bug 414064 would definitively be better than solving this for CSP only, since supporting UTF-7 is bad in general, and not in compliance with HTML5, which is something we want to be.

Bug 414064 is now fixed, so I guess this is too.