CSP causes false error due to add-on Canvas Fingerprint Blocker

RESOLVED DUPLICATE of bug 615708

Status

()

Core
DOM: Security
RESOLVED DUPLICATE of bug 615708
a year ago
a year ago

People

(Reporter: Martijn, Unassigned)

Tracking

52 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

301 bytes, application/x-zip-compressed
Details
(Reporter)

Description

a year ago
Created attachment 8855279 [details]
test.zip

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170323105023

Steps to reproduce:

A page with a basic CSP defined will always trigger on an apparent "call to eval()" even when the page contains absolutely no script. Test page is attached.

The problem is only reproduced when accessing the page from a webserver - so opening it directly will not trigger this bug.


Actual results:

Error:

Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src http://192.168.178.39:3000"). Source: call to eval() or related function blocked by CSP.


Expected results:

No error.

The above error is pointless. There is no call to eval() anywhere. In fact, there is NO script on the page whatsoever.
(Reporter)

Comment 1

a year ago
I found the culprit: Canvas Fingerprint Blocker addon.

Addons are outside a website's control, and therefor shouldn't trigger CSP errors. It gives web developers headaches.

Updated

a year ago
Component: Untriaged → DOM: Security
Product: Firefox → Core

Updated

a year ago
Summary: CSP causes false error → CSP causes false error due to add-on Canvas Fingerprint Blocker
Thanks for reporting. That has been a long standing problem with CSP and we have a duplicate bug on file for that. Marking this as as a duplicate of Bug 615708.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → DUPLICATE
Duplicate of bug: 615708
You need to log in before you can comment on or make changes to this bug.