User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/62.0.3202.62 Safari/537.36 Steps to reproduce: 1. Go to https://test.shhnjk.com/local_scheme.html Actual results: Firefox takes 'self' as embedding document's origin. Expected results: According to following comment, self should be local scheme itself. https://github.com/w3c/webappsec-csp/issues/248#issuecomment-336369837
I'm not convinced Firefox is wrong (as opposed to the spec language being less useful). https://github.com/w3c/webappsec-csp/issues/248#issuecomment-340860245 In any case this is a spec compliance issue and doesn't need to be a hidden security bug.