Opened 2 years ago

Closed 13 months ago

#6873 closed defect (rejected)

$csp filter can make CSP options more insecure on Firefox 55 / 51

Reported by: Ross Assignee:
Priority: Unknown Milestone:
Module: Platform Keywords: closed-in-favor-of-gitlab
Cc: kzar, sebastian, hfiguiere, mjethani Blocked By:
Blocking: Platform: Unknown / Cross platform
Ready: no Confidential: no
Tester: Unknown Verified working: no
Review URL(s):



Firefox 55 / 51 / Windows 10
Could not reproduce in Chrome or Firefox 61.

Also occurs in ABP 3.2.

How to reproduce

  1. Navigate to
  2. Add filter ||^$csp=http:

Observed behaviour

The frame on the page loads because the filter seems to have overridden the frame-src 'none' with 'http'.

Expected behaviour

The frame should not load. In Chrome 68/55/51 and Firefox 61, the frame does not load as expected.

Change History (4)

comment:1 Changed 2 years ago by Ross

This also occurs in 3.2 so is not a regression for 3.3.

comment:2 Changed 2 years ago by mjethani

FYI unable to reproduce this on Firefox 59.

Also, as for the fix for this, we might just want to ignore CSP filters on older versions of Firefox that have this problem.

comment:3 Changed 2 years ago by mjethani

  • Component changed from Unknown to Platform

comment:4 Changed 13 months ago by sebastian

  • Keywords closed-in-favor-of-gitlab added
  • Resolution set to rejected
  • Status changed from new to closed

Sorry, but we switched to GitLab. If this issue is still relevant, please file it again in the new issue tracker.

Note: See TracTickets for help on using tickets.