NoScript blocks CSP report-uri
Posted: Wed Dec 07, 2016 11:50 pm
NoScript appears to block post requests to report Content-Security-Policy violations. With scripts globally activated, reporting works as expected.
Output from the web console:
Content Security Policy: Tried to send report to invalid URI: “https://csp-reports.tocco.ch/e"
Content Security Policy: The page’s settings blocked the loading of a resource at https://domain.invalid/script.js (“script-src https://master.tocco.ch 'unsafe-inline' 'unsafe-eval'”).
I set up a page for testing: https://master.tocco.ch/noscript-test
Tested with:
NoScript: 2.9.5.2rc5 and 2.9.5.2
Firefox: 50, 52a2, 53a1 and Tor Browser 6.5a5
Output from the web console:
Content Security Policy: Tried to send report to invalid URI: “https://csp-reports.tocco.ch/e"
Content Security Policy: The page’s settings blocked the loading of a resource at https://domain.invalid/script.js (“script-src https://master.tocco.ch 'unsafe-inline' 'unsafe-eval'”).
I set up a page for testing: https://master.tocco.ch/noscript-test
Tested with:
NoScript: 2.9.5.2rc5 and 2.9.5.2
Firefox: 50, 52a2, 53a1 and Tor Browser 6.5a5