I've a web-app that has a CSP policy. It used to pass on both Firefox and Chrome. As of last week (ish) Firefox began complaining. The site appears to work fine in both browsers. Details in comments.

The policy (as fetched from netmonitor) is Content-Security-Policy:base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com

The violation as reported in the webconsole is: Content Security Policy: The page's settings blocked the loading of a resource at self ("default-src http://localhost:3000") The CSP violation ping says: The csp violation ping says: {... "violated-directive":"default-src http://localhost:3000"}

I ran with NSPR_LOG_MODULES=CSPContext:5, and ... 2006130688[10a5762d0]: nsCSPContext::nsCSPContext 2006130688[10a5762d0]: nsCSPContext::AppendPolicy: base-uri 'self'; connect-src 'self' ws://localhost:3000; default-src 'self'; font-src 'self' https://fonts.gstatic.com; img-src 'self' data:; object-src; report-uri /cspviolation; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: >>>> aContentType: 40 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: >>>> aContentType: 36 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: >>>> aContentType: 4 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/resources/index.css 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: >>>> aContentType: 2 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: http://localhost:3000/built/index.js 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500 2006130688[10a5762d0]: >>>> aContentType: 4 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, decision: load, aContentLocation: https://fonts.googleapis.com/css?family=Roboto:400,300,500 2006130688[10a5762d0]: Sent violation report to URI http://localhost:3000/cspviolation 2006130688[10a5762d0]: nsCSPContext::ShouldLoad, aContentLocation: https://fonts.gstatic.com/s/roboto/v15/oMMgfZMQthOryQo9n22dcuvvDin1pK8aKteLpeZ5c0A.woff2 ... TL:DR; "decision: load" followed by "Sent violation report" seems strange...

Some more digging. It looks like it's React Developer tools. https://github.com/facebook/react-devtools/issues/134 Is this problem purely Facebook's I wonder?

Joe, what are the STR this problem? Once I know, I can have a look and see what's going on.

I've not noticed it for a while. The STR was fairly simple. React app, delivered with strict CSP (default-src 'self'). I'd be happy to close this, because I no longer see it in my setup. But I'll leave the call up to you since the react issue isn't actually closed.

(In reply to Joe Walker [:jwalker] (needinfo me or ping on irc) from comment #6) > I've not noticed it for a while. > > The STR was fairly simple. React app, delivered with strict CSP (default-src > 'self'). I'd be happy to close this, because I no longer see it in my setup. > But I'll leave the call up to you since the react issue isn't actually > closed. Before closing this I'll ask Kamil if he can reproduce the issue. Kamil, can you give that a try?

As per comment 6, I am closing this one as an INVALID since it seems it's not a problem anymore.