Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Rohkem teavet

content-security-policy edge case

  • Vastuseid pole
  • 0 on selline probleem
  • 9 views
more options

I know this is likely to be a wont-fix resolution, but I'd like to confirm that.

So if a webserver has the extremely cautious content-security header:

content-security-policy default-src 'none';

Firefox will correctly not embed video from that same domain in web pages hosted by that domain.

Fine. Good. Totally right.

When the server sets the same flag on the media file itself, Firefox's media player won't play it in browser. Even if I directly open the URL as a user, signaling my user intent to accept the risks for the file, the default player Firefox creates uses the media file's content-security-policy FOR itself.

This means the media won't load, gives an unhelpful and incorrect error message about MIME types, and the only way to view it is to actively download it and view it in local media applications.

Now, given the risks of allowing exceptions in CSP, I will understand if the development team doesn't feel this is a safe change to make, and it's on website owners to prevent this, but I don't feel it's in keeping with the intent of CSP to prevent this case.

I know this is likely to be a wont-fix resolution, but I'd like to confirm that. So if a webserver has the extremely cautious content-security header: content-security-policy default-src 'none'; Firefox will '''correctly''' not embed video from that same domain in web pages hosted by that domain. Fine. Good. Totally right. When the server sets the same flag on the media file itself, Firefox's media player won't play it in browser. Even if I directly open the URL as a user, signaling my user intent to accept the risks for the file, the default player Firefox creates uses the media file's content-security-policy FOR ''itself''. This means the media won't load, gives an unhelpful and incorrect error message about MIME types, and the only way to view it is to actively download it and view it in local media applications. Now, given the risks of allowing exceptions in CSP, I will understand if the development team doesn't feel this is a safe change to make, and it's on website owners to prevent this, but I don't feel it's in keeping with the intent of CSP to prevent this case.
Attached screenshots