User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3435.0 Safari/537.36 Steps to reproduce: Have two extensions which apply CSP policies for websites installed. For ex. uBlock Origin and uMatrix. 1) Add a CSP filter such as ||youtube.com^$csp=img-src 'none' in uBlock Origin under My Filters tab and save it. 2) In uMatrix, open the dashboard, browse to My Rules and add "no-workers: * true" and save it which will apply a CSP filter such as worker-src 'none' when browsed to any website. 3) Visit https://www.youtube.com/ and notice none of the images are blocked even though a CSP policy for img-src was set by uBlock Origin was set, but rather Firefox only applies uMatrix's worker-src CSP. PS - This ONLY occurs in Firefox, while with Chromium, both CSP policies from both the extensions are applied. It might be related to this - https://bugzilla.mozilla.org/show_bug.cgi?id=1377689 Actual results: Images not blocked despite img-src CSP policy being set by uBlock Origin which can been seen from the console screenshot here - https://i.gyazo.com/862e806400876750681e71fda82c7eb7.png Expected results: Images should have been blocked because a CSP policy for images is being set by uBlock Origin along with uMatrix's worker-src CSP policy.
I can reproduce this on Firefox v61/62(Nightly.)
PS - This happens ONLY when there is no original CSP header in response.
Component: Untriaged → WebExtensions: Request Handling
Product: Firefox → Toolkit
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: If two CSP policies from two extensions are set, Firefox only applies one → Consider merging new mergable headers that didn't exist in the original request
Is this still being worked on ?
It is still in the queue, yes. But it's not under active development right now.
Which queue ?
It is not a literal queue; P2 means we will work on it after the critical things we're doing now (P1) are done.
New STR as old one is no longer relevant -- Add a CSP filter such as ||w3schools.com^$csp=default-src 'self' 'unsafe-inline' 'unsafe-eval' in uBlock Origin under My Filters tab and save it. Install uMatrix from https://github.com/gorhill/uMatrix/releases/tag/1.3.17b0 by clicking on the file name uMatrix.firefox.signed.xpi. In uMatrix, open the dashboard, browse to My Rules and add "no-workers: * true" and save it which will apply a CSP filter such as worker-src 'none' when browsed to any website. Visit https://www.w3schools.com/html/tryit.asp?filename=tryhtml5_webworker and open the uMatrix logger(via opening moz-extension://41cfb02c-c075-468a-b815-858fdbc2a15c/logger-ui.html in a new tab), now go back to the w3schools tab and click Start worker, the count will begin and check the logger tab we opened in a new tab before, the request appears but is not blocked, even though it should have been because of no-workers : * true rule which applies the worker-csp to block all workers.
Restrict Comments: true
Priority: P2 → P3
Restrict Comments: false
You need to log in before you can comment on or make changes to this bug.