search

mozilla / http-observatory

Mozilla HTTP Observatory
https://observatory.mozilla.org/
Mozilla Public License 2.0
1.84k stars 168 forks source link

Blank http-equiv causes CSP test to fail with 'csp-header-invalid' #492

Open cuibonobo opened 1 year ago

cuibonobo commented 1 year ago

My site is currently returning the following CSP headers:

content-security-policy: default-src 'self'; script-src 'self'; object-src 'none'; frame-ancestors 'none'

However, the framework used to generate my site adds the following meta tag to the HTML header:

<meta http-equiv="content-security-policy" content="">

In this situation, equiv_csp_header ends up being a blank string and causes a CSP parsing error because the string is too short.

I plan on fixing the http-equiv for my site, but the observatory code should probably check if equiv_csp_header is a blank line before attempting to parse it.