As of 1b3c4fcf96d3 (fix for 6358), the "security.csp.enable" attribute has been set
to false. Because it is in the "frozen" section, it cannot be overridden with the FirefoxProfile.
I am trying to automate CSP testing and it is impossible because it cannot be enabled.
What steps will reproduce the problem?
1. From a selenium test, go to any page with CSP enabled, for example with the "Content-Security-Policy"
header "default-src self; report-uri http://www.example.com/csp"
2. On that page add some inline JS such as:
document.write("<span id='inline-content'>Inline content</span>");
3. Observe that the content is written so the JS is running. Further observe via network
panel in dev tools or a proxy that there is no CSP report generated.
I think having CSP disabled is a fine default, but not allowing override is a major
Selenium version: 2.41.0
Browser version: 24.6.0
Please provide any additional information below. A sample reduced test
case, or a public URL that demonstrates the problem will intrigue our merry
band of Open Source developers far more than nothing at all: they'll be far
more likely to look at your problem if you make it easy for them!
Reported by email@example.com on 2014-07-22 20:35:27
The text was updated successfully, but these errors were encountered:
we are able to overwrite this CSP setting with `.setPreference('security.csp.enable',
This results in CSP warnings from injected Selenium scripts though.
What needs to be done to run Firefox with CSP enabled?
Reported by firstname.lastname@example.org on 2014-08-18 17:01:43
The current FirefoxDriver implementation has serious disfunction when CSP is enabled.
It is next to impossible to fix this. Let's hope the next implementation aka Marionette
will be able to work with CSP enabled.