Regressed CSP directives with sources containing capital letters are not applied

Published: | Categories: Privacy & Security | Creative Commons BY-SA 3.0

Description

On Firefox 35, Content Security Policy (CSP) directives are not applied properly if the source URLs contain capital letters, like https://www.example.com/OnlineBanking. Mozilla developers have found that Firefox’s current CSP implementation is internally decapitalizing source URLs and therefore they don’t match the actual URLs. This issue has been fixed with Firefox 35.0.1.

References