Closed
Bug 928005
Opened 11 years ago
Closed 11 years ago
X-Content-Security-Policy-Report-Only being treated as X-Content-Security-Policy
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 924708
People
(Reporter: basta, Unassigned)
References
Details
As of Nightly a couple days ago, sites that specify X-Content-Security-Policy-Report-Only with heavy restrictions via policy-uri are having their code blocked with CSP violations, despite being Report-Only. Here's the HTTP header we send on the Firefox Marketplace: X-Content-Security-Policy-Report-Only:policy-uri /services/csp/policy?build=5e5e And here's the policy URL: https://marketplace-dev.allizom.org/services/csp/policy With this setup, calls to eval() and `new Function()` should not fail, but currently are. Note that this only happens in Nightly.
Comment 1•11 years ago
|
||
Can someone take a look at this? This looks like a regression.
Comment 2•11 years ago
|
||
I filed this a few weeks ago and a fix is close.
Status: NEW → RESOLVED
Closed: 11 years ago
Component: General → Security
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•