As of Nightly a couple days ago, sites that specify X-Content-Security-Policy-Report-Only with heavy restrictions via policy-uri are having their code blocked with CSP violations, despite being Report-Only. Here's the HTTP header we send on the Firefox Marketplace: X-Content-Security-Policy-Report-Only:policy-uri /services/csp/policy?build=5e5e And here's the policy URL: https://marketplace-dev.allizom.org/services/csp/policy With this setup, calls to eval() and `new Function()` should not fail, but currently are. Note that this only happens in Nightly.
Can someone take a look at this? This looks like a regression.
I filed this a few weeks ago and a fix is close.