Not working in FF Developer edition

Question

Not working in FF Developer edition

Closed this issue 9 years ago · 6 comments

Just a little heads up:
I played a bit with the project and noticed it is working in the current FF release (not as nicely as in chrome but it works with adding the CSP header via PHP), but didn't work in the FF Developer edition.

In fact it looks like dev edition ignores the CSP rule completely as it happily displays images from an HTTPS source.

Answer 1 · 2015-10-26T16:53:10.000Z

In the developer tools console, do you see the CSP rule being sent correctly? If so, that sounds like a FF bug.

Could you try changing the CSP syntax to img-src http:?

Answer 2 · 2015-10-26T19:38:06.000Z

From security csp in the Developer Toolbar, it also shows up like that in response headers:

it happily displays images from an HTTPS source

Can confirm, was able to append that HTTPS screenshot to the page:

To be fair, it doesn't seem to make a lot of sense to restrict images to insecure URLs, but I would agree that's a bug.

Answer 3 · 2015-10-26T19:42:23.000Z

I also confirmed this, and it's definitely a bug according to the CSP spec. Testing it out in csptester.io, it looks like Firefox Dev Edition does not ignore 'img-src https:' but does ignore 'img-src http:'.

Answer 4 · 2015-10-26T19:59:18.000Z

Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1218524

Answer 5 · 2015-10-28T08:09:30.000Z

Also see w3c/webappsec-csp#25

Answer 6 · 2015-12-22T08:22:41.000Z

Update: FF and Chrome have decided that ignoring the http-only CSP directive is correct. As a workaround, Sniffly Firefox uses crbug 436451 for sniffing. Closing for now; please reopen if it still doesn't work!