644960 - Firefox doesn't raise CSP violations in report-only mode

Status: RESOLVED DUPLICATE of bug 552523

(Firefox :: General, defect)

Description

[Alex Rodionov]

User-Agent:       Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110322 Firefox/4.0
Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110322 Firefox/4.0

I have implemented both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only HTTP headers with the same directives. When the first is turned on, I receive reports to URI specified in report-uri and to error console of Firefox. When the first is turned off and the second is turned on, I don't receive reports neither to report-uri nor to error console.

Reproducible: Always

Steps to Reproduce:
1. Configure your web app to send X-Content-Security-Policy-Report-Only header.
2. Configure CSP policies.
3. Configure your web app to violate CSP directives.
4. Load web app.
Actual Results:  
There are no "CSP: Directive violated" messages in Error Console and no JSON is sent to report-uri.

Expected Results:  
There are "CSP: Directive violated" messages in Error Console and JSON with report is sent to report-uri.

1. As mentioned above, X-Content-Security-Policy works like a charm.
2. While testing, X-Content-Security-Policy is not sent.

Comment 1

[Peter]

I found the same thing, however the read-only reporting works for me if the violation is 'including a 'not allowed' js file'. It does not work if you simply have some inline JavaScript. 

Because of this testing existing sites with 'X-Content-Security-Policy-Report-Only' does not work. This needs to be fixed.

Comment 2

[Brandon Sterne (:bsterne)]

I'll take a look into this in more detail tomorrow.

Comment 3

[uswjexng]

I have found the same issue with Firefox 5.0 on Windows. 

It would be very helpful for starting to integrate the new CSP functionality to existing sites if this bug could be fixed.