Closed Bug 1345101 Opened 8 years ago Closed 8 years ago

Content-Security-Policy should not send 'violated-directive: default-src'

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1192684
Tracking Flags:
Tracking Status
firefox55 --- affected

People

(Reporter: jwatt, Unassigned)

Details

Sending 'violated-directive: default-src' is annoying. 'default-src' provides default values for the other '*-src' directives, and reporting should specify exactly which of those directives was violated. Failing to do that makes it much harder for people to figure out which of the actual '*-src' directives is the problem, or that they might want to consider adding an explicit value for.
This is actually correct according to the spec: https://w3c.github.io/webappsec-csp/2/#violation-reports What we are missing is the "effective-directive" item.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.