Not working in FF Developer edition

[SleepProgger]

Just a little heads up:
I played a bit with the project and noticed it is working in the current FF release (not as nicely as in chrome but it works with adding the CSP header via PHP), but didn't work in the FF Developer edition.

In fact it looks like dev edition ignores the CSP rule completely as it happily displays images from an HTTPS source.

[diracdeltas]

In the developer tools console, do you see the CSP rule being sent correctly? If so, that sounds like a FF bug.

Could you try changing the CSP syntax to img-src http:?

[jomo]

From security csp in the Developer Toolbar, it also shows up like that in response headers:

---

it happily displays images from an HTTPS source

Can confirm, was able to append that HTTPS screenshot to the page:

---

To be fair, it doesn't seem to make a lot of sense to restrict images to insecure URLs, but I would agree that's a bug.

[diracdeltas]

I also confirmed this, and it's definitely a bug according to the CSP spec. Testing it out in csptester.io, it looks like Firefox Dev Edition does not ignore 'img-src https:' but does ignore 'img-src http:'.

[diracdeltas]

Filed https://bugzilla.mozilla.org/show_bug.cgi?id=1218524

[diracdeltas]

Also see w3c/webappsec-csp#25

[diracdeltas]

Update: FF and Chrome have decided that ignoring the http-only CSP directive is correct. As a workaround, Sniffly Firefox uses crbug 436451 for sniffing. Closing for now; please reopen if it still doesn't work!