Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

CSP strikes again

  • 3 cavab
  • 0 have this problem
  • 8 views
  • Last reply by zeroknight

more options

CSP strikes again,

This morning I was trying to look at archive.org and the website wouldn't load and just show a blank white page (not my blank page theme which is dark)

I tried refreshing a few times, and it didn't work, then I opened developer tools and noticed every resource from website is blocked by CSP. I know probably this is a wrong configuration from archive.org developers causing the page to not load.

GET archive.org HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 18 Jul 2023 03:36:25 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive vary: Accept-Encoding content-security-policy: base-uri 'self'; default-src *; img-src *; object-src 'none'; script-src https://archive.org/offshoot_assets/ https://*.archive.org/offshoot_assets/ https://offshoot.prod.archive.org/offshoot_assets/ https://archive.org/includes/ https://*.archive.org/includes/ https://offshoot.prod.archive.org/includes/ https://archive.org/components/ https://*.archive.org/components/ https://offshoot.prod.archive.org/components/ https://archive.org/jw/ https://*.archive.org/jw/ https://offshoot.prod.archive.org/jw/ https://av.prod.archive.org/js/ https://esm.archive.org/ https://polyfill.archive.org/v3/polyfill.min.js 'sha256-CoX53XgCdkM1zegYEEpMUeYIZnv663inNm8bQv2VRbM='; style-src 'unsafe-inline' https://archive.org/ https://*.archive.org/ https://offshoot.prod.archive.org/; Strict-Transport-Security: max-age=15724800 Expires: Tue, 18 Jul 2023 03:51:25 GMT Cache-Control: max-age=900 Referrer-Policy: no-referrer-when-downgrade X-Content-Encoding-Over-Network: gzip

from start CSP bring nothing for me other than trouble. In fact I had so much trouble with it, that when a website doesn't load or loads incomplete, I immediately hit F12 to see if anything is blocked by CSP.

I know some very knowledgeable people will come and tell me you will die instantly or will turn to stone if you disable CSP, but I'm readly fed up with this thing that is controled by a header that can be changed with a proxy or even extension which then controls how browser will load a website. just the same way that some web developers use User-agent and HTTP-Referer as a security measure in their website.

I was able to disable CSP in firefox 98 and browse the website. but can't do it with firefox 100 and above (109 currently)

I tried removing the CSP header with extension, but I can remove any header I want but not CSP

Apparently someone in firefox team is obsessed with removing user modifiable features and making it harder and harder everyday to achieve the same functionality (e.g. renaming about:config settings, disabling or removing them) or in other words, pushing their will on their end users on how they should use their browser.

I'm a software developer, I can recompile firefox, and I want CSP and in fact any behavior that relies on a HTTP-header to be gone, but I'm really busy with my own work. and don't have time to read through entire code of the firefox.

I would like to ask if someone can direct me to the part of mozilla code that contains CSP so I can remove it and compile the thing again so I have a browser that doesn't block me from what I like to do.

CSP strikes again, This morning I was trying to look at archive.org and the website wouldn't load and just show a blank white page (not my blank page theme which is dark) I tried refreshing a few times, and it didn't work, then I opened developer tools and noticed every resource from website is blocked by CSP. I know probably this is a wrong configuration from archive.org developers causing the page to not load. GET archive.org HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Tue, 18 Jul 2023 03:36:25 GMT Content-Type: text/html; charset=utf-8 Transfer-Encoding: chunked Connection: keep-alive vary: Accept-Encoding content-security-policy: base-uri 'self'; default-src *; img-src *; object-src 'none'; script-src https://archive.org/offshoot_assets/ https://*.archive.org/offshoot_assets/ https://offshoot.prod.archive.org/offshoot_assets/ https://archive.org/includes/ https://*.archive.org/includes/ https://offshoot.prod.archive.org/includes/ https://archive.org/components/ https://*.archive.org/components/ https://offshoot.prod.archive.org/components/ https://archive.org/jw/ https://*.archive.org/jw/ https://offshoot.prod.archive.org/jw/ https://av.prod.archive.org/js/ https://esm.archive.org/ https://polyfill.archive.org/v3/polyfill.min.js 'sha256-CoX53XgCdkM1zegYEEpMUeYIZnv663inNm8bQv2VRbM='; style-src 'unsafe-inline' https://archive.org/ https://*.archive.org/ https://offshoot.prod.archive.org/; Strict-Transport-Security: max-age=15724800 Expires: Tue, 18 Jul 2023 03:51:25 GMT Cache-Control: max-age=900 Referrer-Policy: no-referrer-when-downgrade X-Content-Encoding-Over-Network: gzip from start CSP bring nothing for me other than trouble. In fact I had so much trouble with it, that when a website doesn't load or loads incomplete, I immediately hit F12 to see if anything is blocked by CSP. I know some very knowledgeable people will come and tell me you will die instantly or will turn to stone if you disable CSP, but I'm readly fed up with this thing that is controled by a header that can be changed with a proxy or even extension which then controls how browser will load a website. just the same way that some web developers use User-agent and HTTP-Referer as a security measure in their website. I was able to disable CSP in firefox 98 and browse the website. but can't do it with firefox 100 and above (109 currently) I tried removing the CSP header with extension, but I can remove any header I want but not CSP Apparently someone in firefox team is obsessed with removing user modifiable features and making it harder and harder everyday to achieve the same functionality (e.g. renaming about:config settings, disabling or removing them) or in other words, pushing their will on their end users on how they should use their browser. I'm a software developer, I can recompile firefox, and I want CSP and in fact any behavior that relies on a HTTP-header to be gone, but I'm really busy with my own work. and don't have time to read through entire code of the firefox. I would like to ask if someone can direct me to the part of mozilla code that contains CSP so I can remove it and compile the thing again so I have a browser that doesn't block me from what I like to do.
Attached screenshots

All Replies (3)

more options

Hello,

I understand that you're experiencing difficulties with Content Security Policy (CSP) causing issues when accessing a website and you're looking for assistance in resolving this. While it's unfortunate that you're facing trouble, I'd like to inform you that modifying or removing core functionalities like CSP from Firefox by recompiling the browser is not recommended or supported.

Content Security Policy is an important security mechanism implemented by websites to protect against various types of attacks. It helps to restrict the resources that a web page can load and enforce certain security policies. Disabling or removing CSP can leave your browser more vulnerable to potential threats.

In this case, the issue seems to be with the specific website's CSP configuration, which is blocking the necessary resources from loading. It would be best to reach out to the website's developers or administrators and inform them about the problem you encountered. They will have the expertise to address the issue and adjust their CSP settings accordingly.

If you're encountering similar issues on other websites, it might be worth checking if there are any extensions or plugins installed that could be interfering with CSP or causing conflicts. Disabling or removing such extensions temporarily can help identify if they are the root cause of the problem.

I understand that you have concerns about certain browser functionalities being changed or removed, but these modifications are typically made to enhance security, privacy, and overall user experience. The Firefox team strives to strike a balance between these factors.

If you have any further questions or need assistance with any other Firefox-related concerns, please don't hesitate to reach out. We're here to help!

Best regards, Suram.

more options

I notice your screenshot of the Network Monitor shows HTTP: URLs, while the CSP rules expect HTTPS. Could you test the site on HTTPS (for the URL in the address bar) and see whether that makes any difference.

As for finding things in the source code, since you are programmer, it probably will be faster for you than it would be for me. https://searchfox.org/mozilla-release/source/

more options

archive.org loads fine for me with HTTPS and no CSP errors. See if it still happens in Troubleshoot Mode.