Advised to use child-src in CSP when child-src is already specified.

RESOLVED DUPLICATE of bug 1288896

Status

()

RESOLVED DUPLICATE of bug 1288896
2 years ago
2 years ago

People

(Reporter: scotthelme, Unassigned)

Tracking

48 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36

Steps to reproduce:

I issue a CSP header that contains both the child-src and frame-src directive. These directives contain the same values for backwards compatibility.

You can see this in my current CSP header on https://scotthelme.co.uk 


Actual results:

Firefox gives me the following warning: 

Content Security Policy: Directive 'frame-src' has been deprecated. Please use directive 'child-src' instead.


Expected results:

I am already using the child-src directive so this warning is redundant. Firefox should simply disregard the frame-src directive and use the provided child-src directive.

Updated

2 years ago
Component: Untriaged → DOM: Security
Product: Firefox → Core

Updated

2 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1288896
You need to log in before you can comment on or make changes to this bug.