Closed Bug 928005 Opened 11 years ago Closed 11 years ago

X-Content-Security-Policy-Report-Only being treated as X-Content-Security-Policy

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 924708

People

(Reporter: basta, Unassigned)

References

Details

As of Nightly a couple days ago, sites that specify X-Content-Security-Policy-Report-Only with heavy restrictions via policy-uri are having their code blocked with CSP violations, despite being Report-Only.

Here's the HTTP header we send on the Firefox Marketplace:

X-Content-Security-Policy-Report-Only:policy-uri /services/csp/policy?build=5e5e

And here's the policy URL:

https://marketplace-dev.allizom.org/services/csp/policy

With this setup, calls to eval() and `new Function()` should not fail, but currently are.

Note that this only happens in Nightly.
Blocks: 927627
Can someone take a look at this? This looks like a regression.
I filed this a few weeks ago and a fix is close.
Status: NEW → RESOLVED
Closed: 11 years ago
Component: General → Security
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.