ebanking.wesleyanbank.co.uk - Page design is broken

[webcompat-bot]

URL: https://ebanking.wesleyanbank.co.uk/CustomerLogins

Browser / Version: Firefox 93.0
Operating System: Windows 10
Tested Another Browser: Yes Edge

Problem type: Design is broken
Description: Items are misaligned
Steps to Reproduce:
Home page looks ok. clicked log in then under Wesleyan Bank online clicked log in to Wesleyan Bank. the next page is just text no graphics

View the screenshot

Browser Configuration

• None

From webcompat.com with ❤️

[softvision-oana-arbuzov]

Thanks for the report, I was able to reproduce the issue.

Note:

1. The issue is not reproducible on Chrome.
2. The issue is reproducible on Firefox Nightly regardless of the ETP status.

Console:

Tested with:
Browser / Version: Firefox Nightly 95.0a1 (2021-10-26), Firefox Release 93.0
Operating System: Windows 10 Pro

Moving to Needsdiagnosis for further investigation.

[wisniewskit]

I see this:

Content Security Policy: Couldn’t parse invalid host â��noneâ��
Content Security Policy: Couldn’t parse invalid host â��selfâ�� 3
Content Security Policy: Couldn’t parse invalid host â��noneâ��

And of course, that's followed by this:

Content Security Policy: The page’s settings blocked the loading of a resource at https://ebanking.wesleyanbank.co.uk/assets/css/styles-output.css?v=1.0 (“style-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://ebanking.wesleyanbank.co.uk/assets/images/WesLogo.svg (“img-src”).
Content Security Policy: The page’s settings blocked the loading of a resource at https://ebanking.wesleyanbank.co.uk/favicon.ico (“img-src”). resource:191:19

So it's an interop issue with how CSP headers are parsed, and this is what Firefox sees:

Content-Security-Policy: default-src �none�; img-src �self�; script-src �self�; style-src �self�; object-src �none�

Chrome seems to see the same thing:

X-Content-Security-Policy: default-src ‘none’; img-src ‘self’; script-src ‘self’; style-src ‘self’; object-src ‘none’

And weirdly, if I copy-as-Curl, I get a gibberish binary response from the server, so I'm not sure what's going on there. (or a blank response from Chrome's copy-as-Curl).

This reminds me of bz1497742 but I'm not sure if it's the same. I'll ping and ask something on the Firefox networking team, but the site can presumably fix this quite easily by not writing out control characters in their CSP headers, and we might be able to do a site patch for this without too much trouble.

[karlcow]

Duplicate of https://bugzilla.mozilla.org/show_bug.cgi?id=1570722