问题
I am using the following Content Security Policy in Report-Only mode:
Content-Security-Policy-Report-Only "default-src 'self'; report-uri /log_violations"
When I go to a URL on the server with an HTML page containing the following:
<!DOCTYPE html>
<head>
<title>
Test document
</title>
</head>
<html>
<body>
Hello
</body>
</html>
I am seeing the following error message in Firefox 57.0 on line 1:
Content Security Policy: The page’s settings observed the loading of a
resource at self (“default-src http://www3.thestar.com”). A CSP report
is being sent. Source: ;!function(){var t=0,e=function(t,e){ret...
In other browsers, like Edge, Chrome, I haven't seen these errors.
Any thoughts on whether this is a Firefox quirk or something I've set up incorrectly? I'm stumped as to why the policy is rejecting line 1 of every page.
回答1:
You probably have an extension installed and enabled that is injecting content into the page. Try opening the page in a new Firefox profile without any extensions to see if you see the CSP violation reported.
Firefox is planning to exclude content injected by extensions in CSP checks starting Firefox 58 so this should reduce the noise from extensions doing stuff on a page.
From the Mozilla blog,
Starting with Firefox 58, the CSP of a web page does not apply to content inserted by an extension. This allows, for example, the extension to load its own resources into a page.
来源:https://stackoverflow.com/questions/47519661/content-security-policy-failing-on-line-1-firefox-57-0