User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.106 Safari/537.36 Steps to reproduce: Issue a CSP that uses the 'self' keyword. Cause a violation of the CSP and a report will be sent to value specified in report-uri. In the report that is sent, 'self' is re-written as the scheme and domain name of the site. Actual results: When the following policy is issued: Content-Security-Policy: default-src 'self' Reports contain the following: "original-policy":"default-src https://scotthelme.co.uk/" Expected results: When the following policy is issued: Content-Security-Policy: default-src 'self' Reports contain the following: "original-policy":"default-src 'self'"

According to the spec, the value of "original-policy" should be the policy as received by the UA. http://www.w3.org/TR/CSP2/#violation-report-original-policy Also, other keywords remain the same so this would be consistent across all keywords.

Bug 1212429?

(In reply to Gingerbread Man from comment #2) > Bug 1212429? Nope, this bug is regarding the value 'self' being modified in the resulting CSP report about a violation.