I know this is likely to be a wont-fix resolution, but I'd like to confirm that. So if a webserver has the extremely cautious content-security header: content-security-… (read more)
I know this is likely to be a wont-fix resolution, but I'd like to confirm that.
So if a webserver has the extremely cautious content-security header:
content-security-policy default-src 'none';
Firefox will correctly not embed video from that same domain in web pages hosted by that domain.
Fine. Good. Totally right.
When the server sets the same flag on the media file itself, Firefox's media player won't play it in browser. Even if I directly open the URL as a user, signaling my user intent to accept the risks for the file, the default player Firefox creates uses the media file's content-security-policy FOR itself.
This means the media won't load, gives an unhelpful and incorrect error message about MIME types, and the only way to view it is to actively download it and view it in local media applications.
Now, given the risks of allowing exceptions in CSP, I will understand if the development team doesn't feel this is a safe change to make, and it's on website owners to prevent this, but I don't feel it's in keeping with the intent of CSP to prevent this case.