The following tests fail in Firefox but pass in other browsers as documented in https://foolip.github.io/ad-hoc-wpt-results-analysis/firefox-lone-failures.html /content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html /content-security-policy/font-src/font-self-allowed.html /content-security-policy/generic/only-valid-whitespaces-are-allowed.html /content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html /content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html /content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html /content-security-policy/reporting/report-same-origin-with-cookies.html /content-security-policy/style-src/style-src-hash-default-src-allowed.html /content-security-policy/style-src/stylehash-default-src.sub.html

Some of those tests will be fixed within Bug 965637, in particular: * content-security-policy/base-uri/base-uri_iframe_sandbox.sub.html * content-security-policy/inheritance/inherited-csp-list-modifications-are-local.html We never send cookies for reports, no matter if same origin or cross origin, see: https://searchfox.org/mozilla-central/source/dom/security/nsCSPContext.cpp#1012 hence the following test is failing: * content-security-policy/reporting/report-same-origin-with-cookies.html It seems that our parser is to forgiving and also accepts invalid whitespaces, hence the following test is failing: * content-security-policy/generic/only-valid-whitespaces-are-allowed.html Our implementation does not hide 'nonce' content attribute, hence the following tests are failing: * content-security-policy/nonce-hiding/script-nonces-hidden-meta.tentative.sub.html * content-security-policy/nonce-hiding/script-nonces-hidden.tentative.html Ultimately we can take a closer look and fix those few wpt-tests for CSP, but I would like to defer to after Bug 965637 has landed (which should happen end of Q1) which definitely makes things a whole lot easier.