When testing 1021972, I found that the img-src directive doesnt restrict loading of images. For example, img-src 'self'; still allows loading of an image from a remote origin. STR: 1. Install app from https://github.com/pauljt/csptest 2. Scroll to bottom of app and choose "external image" link 3. A page is shown which attempts to load an external image Expected Results: Image is blocked Actual: Image is loaded as if there was no CSP.

Further notes: The extra CSP that this app opt into using the manifest is: "csp": "image-src 'self'; style-src 'self';" Note that the inline style appears to be blocked so it seemed this CSP is actually being set. Tested with https://github.com/pauljt/csptest/blob/master/inlinestyle.html

That's because the csp for certified apps is still using the hardcoded fastpath that only knows about the default certified csp. That should all be fixed once bug 1030936 is fixed.

(In reply to Fabrice Desré [:fabrice] from comment #2) > That's because the csp for certified apps is still using the hardcoded > fastpath that only knows about the default certified csp. That should all be > fixed once bug 1030936 is fixed. Ah ok thanks Fabrice!