I've updated the CSP error message and for example they now look like the following. An onload event handler: > Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following CSP: “default-src 'none'” Source: alert('onload'); csp-directive.html An image: > Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at http://0.0.0.0:8000/image.png because it violates the following CSP: “default-src 'none'” csp-directive.html A normal script: > Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://0.0.0.0:8000/report.js from being executed because it violates the following CSP: “default-src 'none'” csp-directive.html I am still a bit unsure about "Report-Only" messages, but I roughly did this: >Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (img-src) at http://0.0.0.0:8000/image.png because it violates the following CSP: “default-src 'none'” csp-directive.html I would love to get some feedback about the general contents and wording of these messages, before I start updating whatever test those changes will break.
Bug 1848315 Comment 8 Edit History
Note: The actual edited comment in the bug view page will always show the original commenter’s name and original timestamp.
I've updated the CSP error message and for example they now look like the following. An onload event handler: > Content-Security-Policy: The page’s settings blocked an event handler (script-src-attr) from being executed because it violates the following CSP: “default-src 'none'” Source: alert('onload'); An image: > Content-Security-Policy: The page’s settings blocked the loading of a resource (img-src) at http://0.0.0.0:8000/image.png because it violates the following CSP: “default-src 'none'” A normal script: > Content-Security-Policy: The page’s settings blocked a script (script-src-elem) at http://0.0.0.0:8000/report.js from being executed because it violates the following CSP: “default-src 'none'” I am still a bit unsure about "Report-Only" messages, but I roughly did this: >Content-Security-Policy: (Report-Only policy) The page’s settings would block the loading of a resource (img-src) at http://0.0.0.0:8000/image.png because it violates the following CSP: “default-src 'none'” I would love to get some feedback about the general contents and wording of these messages, before I start updating whatever test those changes will break.