Firefox Community Forum

Hi,

I am developing a website of my own and in that website I want to implement a handler for Content-Security-Policy violation reports. I want to test if this handler works as I expect and therefore I have configured a webpage such that is will report CSP violations (I see them in the web developer console) and I want to have them sent to my application's CSP-violation handler.

In my test environment, the application is running on localhost. I have run my web application both on HTTP and HTTPS (with a self-signed certificate), but in neither case Firefox is sending any reports to my application.

My CSP headers look as follows: Content-Security-Policy: report-uri http://localhost:5281/csp-violation;base-uri 'none';default-src 'self';form-action 'none';frame-ancestors 'none';report-to csp-viol;script-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg';style-src 'unsafe-eval' 'nonce-9FuQ3NuVoW66DT1ZU4w9EPSymnHE1/hg' Reporting-Endpoints: csp-viol=http://localhost:5281/csp-violation Report-To: {"group":"csp-viol","max_age":10886400,"endpoints":[{"url":"http://localhost:5281/csp-violation"}]}

When I run my application using HTTPS, all HTTP in the endpoints will also be HTTPS.

I have verified that when I post something by hand to http://localhost:5281/csp-violation, my handler is executed, so that is not the issue. I believe that Firefox is just not sending the reports. Is there a way to configure Firefox such that it will send the CSP violation reports to my application when run on HTTP(S) on localhost?

Sincerely, Marcel

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.

le fichier imap.orange.fr : est rempli à 494 GO Comment le vider ? The file imap.orange.fr is filles with 494 GO How to empty it ? Thank you in advance