Closed Bug 1223383 Opened 9 years ago Closed 9 years ago

Content Security Policy: Couldn't process unknown directive 'sandbox'

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Version:
42 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 671389

People

(Reporter: andriy.pitukh, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0 Build ID: 20151029151421 Steps to reproduce: 1. Create a web page with alert script: <html><body><script>alert("You are hacked")</script></body></html> 2. Set Content-Security-Policy header for this page with value "sandbox" or "sandbox;". 3. Open page in Firefox Actual results: Error in Console: Content Security Policy: Couldn't process unknown directive 'sandbox' Alert box appears in browser. Expected results: Alert box must be blocked by browser, violation must be shown in console.
If header value is "default-src *; sandbox;" - Firefox works as expected. Chrome and IE works ok in all cases.
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
(In reply to Adei from comment #1) > If header value is "default-src *; sandbox;" - Firefox works as expected. Sorry, actually not. Does Firefox support "sandbox" in CSP at all? https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
Looks like "sandbox" is not implemented in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=671389 It's really sad.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Component: Untriaged → DOM: Security
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
You need to log in before you can comment on or make changes to this bug.