X-Content-Security-Policy-Report-Only not working in Firefox 20

Question

I have the following Content Security Policy defined:

X-Content-Security-Policy-Report-Only: default-src 'self'; report-uri /foo

If I change that to X-Content-Security-Policy, the policy gets enforced and the report is sent. However, when I set it to Report-Only, no policy warnings appear in the console and no report is sent.

I'm aware of the bug where they don't support unsafe-inline and unsafe-eval, rather you have to use options inline-script eval-script, but I'm not using either on this page.

I don't know if this has much to do with it, but the header is being sent as X-Content-Security-Policy-Report-Only, but Firebug translates it to x-content-security-policy-report-only - simply changing the case.

Also, when supplying both an X-Content-Security-Policy and X-Content-Security-Policy-Report-Only as follows:

X-Content-Security-Policy: default-src 'self'; options inline-script; report-uri /csp-report.php
x-content-security-policy-report-only: default-src 'self'; report-uri /csp-report.php

The console has a WARN level message:

Report-only CSP policy will be ignored because there are other non-report-only CSP policies applied.

So it's seeing the header, and instead of processing it and reporting but enforcing the other, it's dropping it altogether?

Answer 1

Uggh - I'd seen the bug report before, but didn't read it carefully and thought it was the unsafe-inline or unsafe-eval problem. https://bugzilla.mozilla.org/show_bug.cgi?id=687086 actually specifically talks about inline script not firing the policy because the script is allowed to run. Doing testing with other things which violate the policy (such as loading script from elsewhere) the report gets generated and sent.