Closed
Bug 1459627
Opened 6 years ago
Closed 6 years ago
content security policy blocking scripts from localhost, regardless of CSP response headers.
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: adam.snyder, Unassigned, NeedInfo)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180503152818
Steps to reproduce:
Built a simple node/express server to host a static html file. the html file just uses jquery, and a small script i wrote to handle a form submission.
I spent a couple hours messing with content security policy in the http response headers, as well as meta tags in the html. Firefox still refuses to load the scripts.
I tested in chrome and the scripts load without any problems.
Actual results:
when I visit the page i made in firefox, the html and css load, but the console prints:
Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1337/jquery-3.3.1.js (“script-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at http://localhost:1337/script.js (“script-src”).
Expected results:
the scripts should just load.
Updated•6 years ago
|
Component: Security → DOM: Security
Comment 1•6 years ago
|
||
Do you have a testcase that exhibits this behavior?
What's your CSP look like, exactly?
Are you using the keyword 'self' (which equates to a fully-specified origin) or bare word localhost which would imply "all ports"?
Does it work if you use the standard http port?
Flags: needinfo?(adam.snyder)
Updated•6 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•