237419 2022-03-03 04:32:46 -0800 Invalid characters in HTTP Content-Security-Policy value doesn't impact the CSP 2022-03-03 05:24:32 -0800 1 1 1 Unclassified WebKit Page Loading Safari Technology Preview Mac (Intel) macOS 10.15 RESOLVED WORKSFORME https://www.mollysastrology.com P2 Normal --- 1 karl+webkit webkit-unassigned beidson oldest_to_newest 1847830 0 karl+webkit 2022-03-03 04:32:46 -0800 1. Go to https://www.mollysastrology.com 2. Check the HTTP Response The value for HTTP Response HTTP/2 200 OK date: Thu, 03 Mar 2022 11:40:47 GMT content-type: text/html; charset=UTF-8 content-length: 20900 cache-control: public, max-age=0 expires: Thu, 03 Mar 2022 11:40:47 GMT last-modified: Wed, 02 Mar 2022 19:10:07 GMT accept-ranges: bytes content-encoding: gzip vary: Accept-Encoding wpx: 1 strict-transport-security: max-age=31536000; includeSubDomains x-xss-protection: 1; mode=block content-security-policy: default-src â��selfâ��; alt-svc: h3=":443"; ma=2592000, h3-29=":443"; ma=2592000, h3-Q050=":443"; ma=2592000, h3-Q046=":443"; ma=2592000, h3-Q043=":443"; ma=2592000, quic=":443"; ma=2592000; v="43,46" x-turbo-charged-by: LiteSpeed x-edge-location: WPX CLOUD/TYO02 server: WPX CLOUD/TYO02 x-cache-status: MISS X-Firefox-Spdy: h2 Check this specific Header. content-security-policy: default-src â��selfâ��; Expected: This is to be determined. Actual: Currently Safari Tech Preview and Edge Blink Canary do not have any issues with it. Firefox bails out on all subsequent resources and displays only the HTML page (without JS and CSS). Note: This probably requires to dig into the specification and determine 1. what the spec says 2. what is the best course of actions. Change the spec or align the implementations of Gecko, Blink and WebKit Basically this creates a Webcompat issue https://github.com/webcompat/web-bugs/issues/100417 1847832 1 karl+webkit 2022-03-03 04:40:26 -0800 Opened on https://bugs.webkit.org/show_bug.cgi?id=237419 https://bugzilla.mozilla.org/show_bug.cgi?id=1757913 https://bugs.chromium.org/p/chromium/issues/detail?id=1302617 1847847 2 karl+webkit 2022-03-03 05:24:32 -0800 So this is already a known bug on Firefox https://bugzilla.mozilla.org/show_bug.cgi?id=1570722 And it was discussed on https://github.com/w3c/webappsec-csp/issues/473 The behavior of Blink and WebKit is right.