Can't disable content security policy
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: petru, Unassigned)
References
Details
From github: https://github.com/mozilla-mobile/fenix/issues/27356.
Steps to reproduce
Firefox after version 99 removed the ability to disable csp using about:config ,so the only solution as suggested is to use a web request add on to manipulate (remove content-security-policy ),this work but not for all websites . having explained that both android and Mac desktop (nighly 107) for example fail to disable csp with web request addons for Twitter.com UNLESS I SET TO FALSE DOM.CACHES.ENABLED . can someone confirm this ?
Expected behaviour
I should be able to modify csp
Actual behaviour
csp is not disabled
Device name
poco f3
Android version
android
Firefox release type
Firefox Nightly
Firefox version
107
Device logs
No response
Additional information
No response
┆Issue is synchronized with this Jira Task
Change performed by the Move to Bugzilla add-on.
Comment 1•2 years ago
|
||
Bug 1754301 explains why we made the change. We need more information about specific use cases as to why users want to disable our implementation for a cornerstone of web security. Otherwise, I'd consider this WONTFIX.
Reporter | ||
Comment 2•2 years ago
|
||
Thank you!
Asked the original reporter on Github to provide more details here.
Comment 3•2 years ago
|
||
CSP can also be set inside the page content in a <meta>
tag, so you would have to modify the body of the web request in that case and not just the headers. meta tags can also be created programmatically by the page in some cases, and to stop those you'd have to modify the script that is creating them. (programmatic CSP seems like an odd thing to do and I haven't seen it, but it's possible.)
Updated•2 years ago
|
Updated•2 years ago
|
Comment 4•2 years ago
|
||
the reason I need to disable csp is because of this 7 years old bug in Firefox ,explained here from the popular ublock origin extension developer :
https://github.com/uBlockOrigin/uBlock-issues/issues/235
basically csp is interfering with ublock .
In kiwi /yandex Browser wich also support extension I do not have any problem at all .
Comment hidden (off-topic) |
Comment 6•2 years ago
|
||
(In reply to alessandro from comment #4)
the reason I need to disable csp is because of this 7 years old bug in Firefox ,explained here from the popular ublock origin extension developer :
https://github.com/uBlockOrigin/uBlock-issues/issues/235
This just points at bug 1267027, so I'll dupe this over then. No point having another ticket for the exact same problem.
Comment 7•2 years ago
|
||
my user case is just slightly different because even when using a web response header addon in Twitter (other websites are fine )csp cannot be dissed .
my solution was to manually editing (sett
jng to blank csp )cache.sqlite file under defaul Twitter storage folder of Firefox and then chmod 500
Description
•