Closed Bug 1794545 Opened 2 years ago Closed 2 years ago

Can't disable content security policy

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Platform:
Unspecified
Android
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1267027

People

(Reporter: petru, Unassigned)

References

Details

From github: https://github.com/mozilla-mobile/fenix/issues/27356.

Steps to reproduce

Firefox after version 99 removed the ability to disable csp using about:config ,so the only solution as suggested is to use a web request add on to manipulate (remove content-security-policy ),this work but not for all websites . having explained that both android and Mac desktop (nighly 107) for example fail to disable csp with web request addons for Twitter.com UNLESS I SET TO FALSE DOM.CACHES.ENABLED . can someone confirm this ?

Expected behaviour

I should be able to modify csp

Actual behaviour

csp is not disabled

Device name

poco f3

Android version

android

Firefox release type

Firefox Nightly

Firefox version

107

Device logs

No response

Additional information

No response

┆Issue is synchronized with this Jira Task

Change performed by the Move to Bugzilla add-on.

See Also: → 1754301

Bug 1754301 explains why we made the change. We need more information about specific use cases as to why users want to disable our implementation for a cornerstone of web security. Otherwise, I'd consider this WONTFIX.

Thank you!
Asked the original reporter on Github to provide more details here.

CSP can also be set inside the page content in a <meta> tag, so you would have to modify the body of the web request in that case and not just the headers. meta tags can also be created programmatically by the page in some cases, and to stop those you'd have to modify the script that is creating them. (programmatic CSP seems like an odd thing to do and I haven't seen it, but it's possible.)

Summary: [Bug]: problem with content security policy → Can't disable content security policy

the reason I need to disable csp is because of this 7 years old bug in Firefox ,explained here from the popular ublock origin extension developer :
https://github.com/uBlockOrigin/uBlock-issues/issues/235

basically csp is interfering with ublock .
In kiwi /yandex Browser wich also support extension I do not have any problem at all .

(In reply to alessandro from comment #4)

the reason I need to disable csp is because of this 7 years old bug in Firefox ,explained here from the popular ublock origin extension developer :
https://github.com/uBlockOrigin/uBlock-issues/issues/235

This just points at bug 1267027, so I'll dupe this over then. No point having another ticket for the exact same problem.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE

my user case is just slightly different because even when using a web response header addon in Twitter (other websites are fine )csp cannot be dissed .
my solution was to manually editing (sett
jng to blank csp )cache.sqlite file under defaul Twitter storage folder of Firefox and then chmod 500

You need to log in before you can comment on or make changes to this bug.