Should DevTools override the web page’s Content Security Policy restrictions?

simevidas · February 13, 2019, 6:25pm

My website has a very strict Content Security Policy (CSP). I followed the advice on Mozilla Observatory.

The problem is, when I use Firefox DevTools, I am limited by my site’s CSP. For example, I cannot edit styles because those are inline styles, which are disallowed by the CSP, and I can’t load third-party scripts to the page because those are disallowed by the CSP as well.

screen1

Shouldn’t I be able to do whatever I want when I hack on a web page via DevTools? As far as DevTools actions are concerned, CSP limitations should not apply, I think. It only makes my job as a web developer harder.

pbro · February 14, 2019, 8:45am

Hi Šime,

This is an unfortunate limitation of Firefox DevTools at the moment which we are aware of and have made some progress into fixing in the past, but never enough that it is a seamless experience.

As far as the CSP engine is concerned, there is no differences between changes happening in and out of DevTools, so it’s been a challenge to make the right architecture changes to fix that.

So, long story short, it still is a problem today, and likely to remain one for some more time I’m afraid.

I am sorry for the frustration this is causing. I can only point you to the right bug: