Getting Content-Security-Policy error on Firefox 130.0.1

[mxtbcca]

Description/Steps to reproduce Please describe what doesn't work and what you expected to happen.

1. Have Firefox 131.0 installed (just updated, worked yesterday)
2. Have a basic HTML file with a script tag pointing to a local js file
3. Load page and view console output Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://127.0.0.1:8083/html-islands/js6/main.js from being executed because it violates the following directive: “script-src 'none'”
4. It would be nice if the default Content-Security-Policy) (CSP) header directives did not set “script-src 'none'” and/or it would be great to be able to set the server directives from the config console.

Version information MS Windows Pro, 10.0.22631 Build 22631 Simple Server, v1.2.9

Screenshots If applicable, add screenshots to help explain the issue.

[ethanaobrien]

Unless @terreng made the change, we do not set the Content-Security-Policy header (and you can confirm this by going to the network tab, clicking the initial request, and navigating to the response headers section)

It's possible you're setting this unknowingly in the HTML file: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

[terreng]

I can't seem to replicate this on Firefox 131.0. As Ethan said, we do not not set the Content-Security-Policy header, and I don't think Firefox has changed defaults on this.

In order to investigate any further, could you share an example file or reduced test case that exhibits this problem?

[mxtbcca]

Thanks for the prompt replys. I'll dig around some more, make a simple file and see what happens.

As I said the only thing that changed was upgrading Firefox, code still works on Chrome and I downloaded the Floorp browser based on FF and it works there.

So very odd. `:-(

[mxtbcca]

Still seeing the issue with this simple testing file: test-01.html

<!DOCTYPE html>
<html>
<head>
   <title>Test 01</title>
</head>
<body class="bc">
   <header>
      <h1>Test 01</h1>
   </header>
   <nav id="nav-blk">
      nav block
   </nav>
   <main>
      <p id="id-01">main block a</p>
   </main>
   <script>
      console.log(`script tag begin`);

      console.log(`script tag end`);
    </script>
</body>
</html>

Firefox screen shot

Chrome screen shot

[terreng]

Can't reproduce in Firefox. Works as expected, I don't see the CSP error in the console.

Could you send a screenshot from the Network tab showing the Response headers for the .html file?

[ethanaobrien]

Would you also please try in incognito and/or a clean Firefox profile? An extension you installed could be intercepting the request and adding the header

[terreng]

Hi there, are you able to share more details? If not I'm going to have to close this issue.

[mxtbcca]

Please go ahead and close the issue.

Unrelated but I ended up rebooting and then everything was ok.

On Thu, Oct 24, 2024 at 9:45 AM Terren @.***> wrote:

Hi there, are you able to share more details? If not I'm going to have to close this issue.

— Reply to this email directly, view it on GitHub https://github.com/terreng/simple-web-server/issues/218#issuecomment-2435771480, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAK6JNUXZHU2CKKHYMALIPLZ5EPZTAVCNFSM6AAAAABPKW5GK2VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDIMZVG43TCNBYGA . You are receiving this because you authored the thread.Message ID: @.***>

--

THINK think different Think Open Source