User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170323105023 Steps to reproduce: A page with a basic CSP defined will always trigger on an apparent "call to eval()" even when the page contains absolutely no script. Test page is attached. The problem is only reproduced when accessing the page from a webserver - so opening it directly will not trigger this bug. Actual results: Error: Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src http://192.168.178.39:3000"). Source: call to eval() or related function blocked by CSP. Expected results: No error. The above error is pointless. There is no call to eval() anywhere. In fact, there is NO script on the page whatsoever.
I found the culprit: Canvas Fingerprint Blocker addon. Addons are outside a website's control, and therefor shouldn't trigger CSP errors. It gives web developers headaches.
Summary: CSP causes false error → CSP causes false error due to add-on Canvas Fingerprint Blocker
Thanks for reporting. That has been a long standing problem with CSP and we have a duplicate bug on file for that. Marking this as as a duplicate of Bug 615708.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 615708
You need to log in before you can comment on or make changes to this bug.