Reputation: 1751
Why does Firefox always give a warning with CSP: default-src 'self'?
If I serve the following html:
<!doctype html>
<head>
<title>CSP test</title>
</head>
<body>
Surely I'm too simple to need a complicated CSP?!?
</body>
</html>
with the following header:
Content-Security-Policy: default-src 'self'
Firefox (version 77.0.1 and earlier, macOS 10.15) always prints this error in the console:
Content Security Policy: The page's settings blocked the loading of a resource at inline ("default-src").
This despite the fact that this content security policy is the first example on the MDN page about content security policies where it is presented as the policy for the exact use case I have. Chrome does not print any such error message. Is this a Firefox bug or am I overlooking some subtlety?
Thanks in advance.
Upvotes: 2
Views: 1444
Answers (2)
Reputation: 31
Just to add some information to the answer regarding Firefox browser extensions being to blame, in my case it was the React Developer Tools extension that caused this to appear.
Upvotes: 3
Reputation: 3897
I don’t see anything wrong in your code, so it’s likely some thing else.
Try turning off all browser add-ons. Sometimes those can trigger CSP errors
Upvotes: 4
Related Questions
- CSP style-src SHA256 present, but browser issues warning that it isn't
- CSP issue in firefox
- Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely
- Content-Security-Policy : Script-src 'self' not working in Firefox 78 Windows NT 10 for loading scripts from the same origin
- Getting a lot of 'Content Security Policy' warnings in the console (Firefox)
- CSP: child-src and frame-src deprecated
- What does CSP protect us if allowing unsafe-inline
- Strange CSP error in Firefox
- Mozilla Observatory says I don't have a CSP, but I do
- CSP warning firebug