Content Security Policy: Couldn't process unknown directive 'sandbox'

RESOLVED DUPLICATE of bug 671389

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 671389
2 years ago
2 years ago

People

(Reporter: Adei, Unassigned)

Tracking

42 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:42.0) Gecko/20100101 Firefox/42.0
Build ID: 20151029151421

Steps to reproduce:

1. Create a web page with alert script:
<html><body><script>alert("You are hacked")</script></body></html>
2. Set Content-Security-Policy header for this page with value "sandbox" or "sandbox;".
3. Open page in Firefox


Actual results:

Error in Console:
Content Security Policy: Couldn't process unknown directive 'sandbox'

Alert box appears in browser.


Expected results:

Alert box must be blocked by browser, violation must be shown in console.
(Reporter)

Comment 1

2 years ago
If header value is "default-src *; sandbox;" - Firefox works as expected.

Chrome and IE works ok in all cases.
OS: Unspecified → Windows 7
Hardware: Unspecified → x86_64
(Reporter)

Comment 2

2 years ago
(In reply to Adei from comment #1)
> If header value is "default-src *; sandbox;" - Firefox works as expected.

Sorry, actually not.

Does Firefox support "sandbox" in CSP at all?
https://developer.mozilla.org/en-US/docs/Web/Security/CSP/CSP_policy_directives
(Reporter)

Comment 3

2 years ago
Looks like "sandbox" is not implemented in Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=671389
It's really sad.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 671389

Updated

2 years ago
Component: Untriaged → DOM: Security
OS: Windows 7 → All
Product: Firefox → Core
Hardware: x86_64 → All
You need to log in before you can comment on or make changes to this bug.