User Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:126.96.36.199) Gecko/20111107 Ubuntu/10.04 (lucid) Firefox/3.6.24 Build ID: 20111107172717 Steps to reproduce: I've got the following CSP header on http://fmarier.org/copy.html: X-Content-Security-Policy: style-src 'self'; img-src 'self'; font-src 'self' Actual results: It should allow local images and stylesheets through (like it did in Firefox 7), however, it doesn't and only the HTML is displayed. Expected results: It should be rendered the same way as http://fmarier.org/ which has this policy: X-Content-Security-Policy: default-src 'none'; style-src 'self'; img-src 'self'; font-src 'self'
That's certainly how our original Mozilla proposal read, but during the evolution of the W3 Content Security Policy spec this was changed so that missing attributes meant no restrictions. In other words, leaving off default-src 'none' was closer to an implied "default-src *". but when this bug was filed we should not have had that behavior (I'm not sure we've intentionally changed yet) so we need to look into this.
this should be fixed as part of bug 746978, i'll make sure it is
Sid, isn't this a dupe of bug 764937 as well ?
I think this is not a dupe of 764937... the X- header version (pre 1.0) requires default-src or allow directives as dveditz says in comment 1. I think this is wontfix for the X- version of the header; though for version 1.0 compliance (bug csp-w3c-1.0) we do need to make sure this works.
Right, I'm going to test this with the 1.0 parser in the very near future :)
Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox should I test this with?)
(In reply to François Marier [:francois] from comment #6) > Is support for the 1.0 spec in Nightly/Aurora? (i.e. what version of Firefox > should I test this with?) Most of it is in Aurora/Fx 21, see bug 746978 which is the most relevant piece. You will need to set security.csp.specCompliant to true manually to enable 1.0 spec support (using the unprefixed Content-Security-Policy header) until bug 842657 lands.
This bug is very confusing. Is this a bug in the pre-CSP-1.0 implementation, a bug in the CSP 1.0 implementation, or both? Obviously, this is a big deal if it is a bug in the CSP 1.0 implementation, which I'm guessing it is since it blocks csp-w3c-1.0.