Closed
Bug 644960
Opened 13 years ago
Closed 13 years ago
Firefox doesn't raise CSP violations in report-only mode
Categories
(Firefox :: General, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 552523
People
(Reporter: pod.edge, Assigned: bsterne)
Details
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110322 Firefox/4.0 Build Identifier: Mozilla/5.0 (X11; Linux x86_64; rv:2.0) Gecko/20110322 Firefox/4.0 I have implemented both X-Content-Security-Policy and X-Content-Security-Policy-Report-Only HTTP headers with the same directives. When the first is turned on, I receive reports to URI specified in report-uri and to error console of Firefox. When the first is turned off and the second is turned on, I don't receive reports neither to report-uri nor to error console. Reproducible: Always Steps to Reproduce: 1. Configure your web app to send X-Content-Security-Policy-Report-Only header. 2. Configure CSP policies. 3. Configure your web app to violate CSP directives. 4. Load web app. Actual Results: There are no "CSP: Directive violated" messages in Error Console and no JSON is sent to report-uri. Expected Results: There are "CSP: Directive violated" messages in Error Console and JSON with report is sent to report-uri. 1. As mentioned above, X-Content-Security-Policy works like a charm. 2. While testing, X-Content-Security-Policy is not sent.
I found the same thing, however the read-only reporting works for me if the violation is 'including a 'not allowed' js file'. It does not work if you simply have some inline JavaScript. Because of this testing existing sites with 'X-Content-Security-Policy-Report-Only' does not work. This needs to be fixed.
Assignee | ||
Comment 2•13 years ago
|
||
I'll take a look into this in more detail tomorrow.
Assignee: nobody → bsterne
Updated•13 years ago
|
Version: unspecified → 4.0 Branch
I have found the same issue with Firefox 5.0 on Windows. It would be very helpful for starting to integrate the new CSP functionality to existing sites if this bug could be fixed.
Updated•13 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•