Demo: Firefox CSP bug: matching %-encoded paths


https://demos.scheurle.info/firefox/csp-url-matching/test1/image.png:
Could not load image!
https://demos.scheurle.info/firefox/csp-url-matching/t%C3%A4st2/image.png:
Could not load image!

This page contains two images, both whitelistet in it's Content Security Policy. But only the first one is shown. Seems like Firefox is confused by the %-encoded path. CSP 1.1 or above states:

Let uri-path be the path of the URI after decoding percent-encoded characters. [...] If the source expression contains a non-empty path, then: Let decoded-path be the result of decoding path's percent-encoded characters. [...] If the final character of decoded-path is not the the U+002F SOLIDUS character (/), and decoded-path is not an exact match for uri-path then return does not match. Otherwise, return does match.