Web Compatibility Support • Re: duck.ai - doesn't work with csp enabled

Now what's weird is, if you set security.csp.enable = false, duck.ai starts working. And then if you set security.csp.enable = true, duck.ai continues working. Go figure.

There is nothing strange about this, it is just working with the cache.

I did a little digging (not extensively; for a full investigation, I'd first need to write an extension), but it seems the problem with csp occurs when is used and/or is mixed with in a single directive. It's as if processing such a directive causes a fallback to "default-src." But this is just a guess.

And yes, this isn't the only site where csp is causing issues; it's just that here it's highly visible.