User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: 1. Create a web page with alert script: <html><body><script>alert("You are hacked")</script></body></html> 2. Set Content-Security-Policy header for this page with value "sandbox" or "sandbox;". 3. Open page in Firefox Actual results: Error in Console: Content Security Policy: Couldn't process unknown directive 'sandbox' Alert box appears in browser. Expected results: Alert box must be blocked by browser, violation must be shown in console.
If header value is "default-src *; sandbox;" - Firefox works as expected. Chrome and IE works ok in all cases.
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
(In reply to Adei from comment #1) > If header value is "default-src *; sandbox;" - Firefox works as expected. Sorry, actually not. Does Firefox support "sandbox" in CSP at all? https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
Looks like "sandbox" is not implemented in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=671389 It's really sad.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 671389
Component: Untriaged → DOM: Security
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
You need to log in before you can comment on or make changes to this bug.