User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:60.0) Gecko/20100101 Firefox/60.0 Build ID: 20180206100151 Steps to reproduce: 1. click the link https://www.halesworth.net/links/list_two.php?code=3 2. Find the link in the list with the name "Walpole Chapel". 3. Normal click on the link from  will throw "Your connection is not secure" and the page will not be loaded. Because of the "upgrade-insecure-reqeusts" CSP from  4. Opening the link using Right-Click new tab or ctrl-click new tab or drag-and-drop new tab will load the page without any "Your connection is not secure" error. Actual results: Summary of actual result: * right-click secure link to force top-level navigation * the initial load is secure link * the requests hits a 30x redirect to navigate to insecure cross-origin page This is because the CSP is not propagated to the TriggeringPrincipal for these scenarios. CSP object is null in the below line of code, https://dxr.mozilla.org/mozilla-central/source/docshell/base/nsDocShell.cpp#10753 Expected results: Expected Result: Link should be blocked from loading for all these scenarios because of the "upgrade-insecure-reqeusts" CSP. CSP should be propagated to the Principal for all these scenarios.
Component: Untriaged → DOM: Security
Product: Firefox → Core
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.