This is a spin off of https://webcompat.com/issues/18902 not sure if it should be opened in Security or in HTTP component. The site has been fixed. https://www.cpf.gov.sg/members The issue was that the site was using an invalid character U+00A0 (no-break space) in the Content-Security-Policy header. Content-Security-Policy: script-src 'self' 'unsafe-inline' 'unsafe-eval' __www.adobetag.com assets.adobedtm.com https://www.google-analytics.com https://www.google.com/recaptcha/ https://www.gstatic.com/recaptcha/; style-src 'self' 'unsafe-inline' Tests have been added to web-platform-tests https://github.com/web-platform-tests/wpt/pull/13228 Chrome is passing the tests Firefox fails two of them. See the thoughts in https://webcompat.com/issues/18902#issuecomment-425481513

Currently there is an open spec issue that might affect work on this bug: https://github.com/w3c/webappsec-csp/issues/6. I see two possibilities as to why the test fails on Firefox: 1) Firefox does treat U+00A0 as a valid space and therefore treats the policy as valid. In this case this should be fixed as it's orthogonal to the spec issue above. 2) Firefox does not parse the policy because of the invalid space but falls back on some sort of default policy (for example `default-src 'self'`, or something like that). In this case we should hold off on fixing this as it is possible that after the spec issue is fixed it might actually align with current Firefox behavior.

The tests that Andy added have results shown here: https://wpt.fyi/results/content-security-policy/generic/only-valid-whitespaces-are-allowed.html?label=experimental