Open Bug 1935074 Opened 2 months ago Updated 22 days ago

CSP is ignored for cached data

Categories

(Fenix :: PWA, defect)

Firefox 134
All
Android
defect

Tracking

(Not tracked)

UNCONFIRMED

People

(Reporter: bugzilla, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0

Steps to reproduce:

Trying to avoid having to "Install" PWAs, to keep my browser control goodness from home screen links.

  1. Load a website with a manifest.json for a PWA
  2. Setup uBlock Origin to inject a CSP for the site: manifest-src 'none'
  3. Load the same website with a manifest.json for a PWA
  4. Load the same website with a manifest.json for a PWA in a private tab.

Actual results:

  1. The Firefox menu invites me to "Add app to Home screen" and the resulting link hides the browser interface.
  2. Same result as 1)
  3. The Firefox menu invites me to "Add to Home screen" and the resulting link simply opens Firefox (Yay!)

Expected results:

  1. Should have respected the content security policy and not loaded the manifest from cache.

I realise this is all a bit contrived, and probably annoying, but it seems to me that Firefox should not load anything against the will of the site CSP, even though the CSP has just changed.

The severity field is not set for this bug.
:boek, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(jboek)
Severity: -- → S4
Flags: needinfo?(jboek)
You need to log in before you can comment on or make changes to this bug.