OS etc Developing on Lubuntu 20.04 inside Virtualbox 5.2.42 on host Ubuntu 18.04.6 LTS
I’m serving a site on localhost using the php development server:
php -S 0.0.0.0:8080 -t /home/alan/DEV/
index.html is
<!DOCTYPE HTML>
<html>
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
</head>
<body>
<div id="main"></div>
<script src="/main.js"></script>
<script src="/script.js"></script>
</body>
</html>
Chromium has no problem viewing the page at localhost:8080. Until recently, neither did Firefox.
However, I just tried to connect on Firefox 122.0.1 . Nothing of the page is displayed, and I get these errors in the browser console:
Content-Security-Policy: The page's settings blocked the loading of a resource at data: ("media-src"). localhost:8080
Content-Security-Policy: The page's settings blocked the loading of a resource at http://localhost:8080/main.js ("script-src-elem"). localhost:8080
Content-Security-Policy: The page's settings blocked the loading of a resource at http://localhost:8080/script.js ("script-src-elem"). localhost:8080
Looking at about:config in Firefox, and searching on content-security, I see the following:
extensions.webextensions.base-content-security-policy:
script-src 'self' https://* http://localhost:* http://127.0.0.1:* moz-extension: blob: filesystem: 'unsafe-eval' 'wasm-unsafe-eval' 'unsafe-inline';
extensions.webextensions.base-content-security-policy.v3:
script-src 'self' 'wasm-unsafe-eval';
extensions.webextensions.default-content-security-policy:
script-src 'self' 'wasm-unsafe-eval';
extensions.webextensions.default-content-security-policy.v3:
script-src 'self'; upgrade-insecure-requests;
I tried adding <meta http-equiv="Content-Security-Policy" content="default-src 'self'"> to the head of my index.html file, but it made no difference (except it partially screwed up the page layout on Chromium).