CSP in <meta> is not analyzed when sent together with CSP in header

mozilla / http-observatory

Mozilla HTTP Observatory

https://observatory.mozilla.org/

Mozilla Public License 2.0

1.84k stars 169 forks source link

CSP in <meta> is not analyzed when sent together with CSP in header #489

Open rw-AntoniRoszak opened 1 year ago

rw-AntoniRoszak commented 1 year ago

Steps:

Scan page: https://shop.rockwool.com

Observation:

Page scores 120 with most CSP directives listed as "none".

Expectation:

Page should score 110, as there are more directives in tag. They are analyzed by code, but discarded.

Problem appeared in commit a422b3aee91f34535990ffa7ba3aa5256dfb83da - when I check out master before this commit, the combined policy is analyzed properly.

CSP header data: upgrade-insecure-requests; frame-ancestors 'self'

@april

mirunacurtean commented 2 months ago

This appears to be fixed in 2023.

rw-AntoniRoszak commented 2 months ago

Yes, but this is because in this case, CSP was moved to HTTP header. So the problem is no longer visible on the listed page. Unfortunately I don't know any other page that could be used for problem reproduction.