diracdeltas
commented
9 years ago In the developer tools console, do you see the CSP rule being sent correctly? If so, that sounds like a FF bug.
Could you try changing the CSP syntax to img-src http:?
Closed SleepProgger closed 8 years ago
diracdeltas
commented
9 years ago In the developer tools console, do you see the CSP rule being sent correctly? If so, that sounds like a FF bug.
Could you try changing the CSP syntax to img-src http:?
jomo
commented
9 years ago From security csp in the Developer Toolbar, it also shows up like that in response headers:
it happily displays images from an HTTPS source
Can confirm, was able to append that HTTPS screenshot to the page:
To be fair, it doesn't seem to make a lot of sense to restrict images to insecure URLs, but I would agree that's a bug.
diracdeltas
commented
9 years ago I also confirmed this, and it's definitely a bug according to the CSP spec. Testing it out in csptester.io, it looks like Firefox Dev Edition does not ignore 'img-src https:' but does ignore 'img-src http:'.
diracdeltas
commented
9 years ago diracdeltas
commented
9 years ago diracdeltas
commented
8 years ago Update: FF and Chrome have decided that ignoring the http-only CSP directive is correct. As a workaround, Sniffly Firefox uses crbug 436451 for sniffing. Closing for now; please reopen if it still doesn't work!
Just a little heads up: I played a bit with the project and noticed it is working in the current FF release (not as nicely as in chrome but it works with adding the CSP header via PHP), but didn't work in the FF Developer edition.
In fact it looks like dev edition ignores the CSP rule completely as it happily displays images from an HTTPS source.