Had some discussion over Mozilla Support: https://support.mozilla.org/en-US/questions/1160413?
Is it possible to provide a simple live test page on your website?
Hi Loic, I have deployed sample page with CSP headers. http://data-uri-download-csp.bitballoon.com/ Try in Firefox and Chrome. In Chrome its working fine but for Firefox it throws CSP violation exception. Let me know if you need more information.
Thanks for the testcase, I can reproduce the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase-wanted → testcase
As far as we're concerned our behavior is correct: when you click the link you are navigating the frame to the data urls (we block it before the download is triggered). If users were allowed to navigate a frame to random sites then what is the value of frame-src? Maybe Chrome only cares that the original frame load is allowed and doesn't care about the site's rules after that? If Chrome has implemented this differently maybe the spec needs a clarification. This should be moved to a github issue on the spec.
Status: NEW → RESOLVED
Last Resolved: 11 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.