Bug involving XHTML, CSP, and Firefox ESR
Posted: Sun Apr 25, 2021 10:46 pm
Viewing this page https://www.alm.website/blog/2021/04/25/v3.1-xsite (default untrusted) with Firefox 78.9.0esr I get a blank page. (The site's author, on Firefox 84 and with the site not trusted, does not see this problem.) Disabling NoScript or allowing scripts results in the page showing; disabling NoScript *and* disabling all Javascript also results in the page showing.
It seems to have something to do with CSP processing and XHTML. I get several repetitions of the following:
with one of these mixed in:
The page currently ships with the following CSP, if this is relevant:
It seems to have something to do with CSP processing and XHTML. I get several repetitions of the following:
Code: Select all
Content Security Policy: Couldn’t process unknown directive ‘noscript-marker’
Content Security Policy: Couldn’t process unknown directive ‘script-src-elem’
Content Security Policy: Couldn’t process unknown directive ‘script-src-attr’
Code: Select all
XML Document: temporary replacing <html xmlns="http://www.w3.org/1999/xhtml"> with <HTML>
DocumentCSP.js:42:17
Code: Select all
Content-Security-Policy: default-src 'none'; script-src 'self'; style-src 'self'; frame-ancestors 'self'; base-uri 'self'; form-action 'self'