X-Content-Security-Policy-Report-Only being treated as X-Content-Security-Policy

RESOLVED DUPLICATE of bug 924708

Status

()

Core
Security
RESOLVED DUPLICATE of bug 924708
4 years ago
4 years ago

People

(Reporter: basta, Unassigned)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

4 years ago
As of Nightly a couple days ago, sites that specify X-Content-Security-Policy-Report-Only with heavy restrictions via policy-uri are having their code blocked with CSP violations, despite being Report-Only.

Here's the HTTP header we send on the Firefox Marketplace:

X-Content-Security-Policy-Report-Only:policy-uri /services/csp/policy?build=5e5e

And here's the policy URL:

https://marketplace-dev.allizom.org/services/csp/policy

With this setup, calls to eval() and `new Function()` should not fail, but currently are.

Note that this only happens in Nightly.
Blocks: 927627
Can someone take a look at this? This looks like a regression.
I filed this a few weeks ago and a fix is close.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Component: General → Security
Resolution: --- → DUPLICATE
Duplicate of bug: 924708
You need to log in before you can comment on or make changes to this bug.