Opened 10 months ago

Last modified 10 months ago

#6873 new defect

$csp filter can make CSP options more insecure on Firefox 55 / 51

Reported by: Ross Assignee:
Priority: Unknown Milestone:
Module: Platform Keywords:
Cc: kzar, sebastian, hfiguiere, mjethani Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):



Firefox 55 / 51 / Windows 10
Could not reproduce in Chrome or Firefox 61.

Also occurs in ABP 3.2.

How to reproduce

  1. Navigate to
  2. Add filter ||^$csp=http:

Observed behaviour

The frame on the page loads because the filter seems to have overridden the frame-src 'none' with 'http'.

Expected behaviour

The frame should not load. In Chrome 68/55/51 and Firefox 61, the frame does not load as expected.

Change History (3)

comment:1 Changed 10 months ago by Ross

This also occurs in 3.2 so is not a regression for 3.3.

comment:2 Changed 10 months ago by mjethani

FYI unable to reproduce this on Firefox 59.

Also, as for the fix for this, we might just want to ignore CSP filters on older versions of Firefox that have this problem.

comment:3 Changed 10 months ago by mjethani

  • Component changed from Unknown to Platform
Note: See TracTickets for help on using tickets.