Closed Bug 1459627 Opened 6 years ago Closed 6 years ago

content security policy blocking scripts from localhost, regardless of CSP response headers.

Categories

(Core :: DOM: Security, defect)

61 Branch
defect
Not set
normal

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: adam.snyder, Unassigned, NeedInfo)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0 Build ID: 20180503152818 Steps to reproduce: Built a simple node/express server to host a static html file. the html file just uses jquery, and a small script i wrote to handle a form submission. I spent a couple hours messing with content security policy in the http response headers, as well as meta tags in the html. Firefox still refuses to load the scripts. I tested in chrome and the scripts load without any problems. Actual results: when I visit the page i made in firefox, the html and css load, but the console prints: Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1337/jquery-3.3.1.js (“script-src”). Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1337/script.js (“script-src”). Expected results: the scripts should just load.
Component: Security → DOM: Security
Do you have a testcase that exhibits this behavior? What's your CSP look like, exactly? Are you using the keyword 'self' (which equates to a fully-specified origin) or bare word localhost which would imply "all ports"? Does it work if you use the standard http port?
Flags: needinfo?(adam.snyder)
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.