Closed
Bug 846738
Opened 11 years ago
Closed 2 years ago
CSP WARN: Failed to parse unrecognized source 'unsafe-inline'
Categories
(Core :: DOM: Security, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: pawel.krawczyk, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22 Steps to reproduce: Go to http://csptesting.herokuapp.com and run Content Security Policy tests, look at JavaScript console. Actual results: Firefox logs error messages on received CSP: [13:47:55.977] CSP WARN: Failed to parse unrecognized source 'unsafe-inline' Headers set by the server: Content-Security-Policy default-src 'self'; style-src 'unsafe-inline' X-Webkit-Csp default-src 'self'; style-src 'unsafe-inline' x-content-security-policy default-src 'self'; style-src 'unsafe-inline' Expected results: According to CSP 1.0 specification unsafe-inline is valid CSP keyword that should resut in allowing inline JavaScript.
|
||
Comment 1•11 years ago
|
||
Works for me with the latest Nightly, build ID: 20130304030933. I don't get this warning: CSP WARN: Failed to parse unrecognized source 'unsafe-inline'.
|
||
Updated•11 years ago
|
Component: Untriaged → Security
|
||
Comment 2•11 years ago
|
||
Works for me on version 23.0. I get 135/187 pass, no warnings about 'unsafe-inline', but lots of warnings saying: This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored. @ http://csptesting.herokuapp.com/test/load/186 which seems correct to me.
|
||
Comment 3•10 years ago
|
||
Worked for me on 27.0.1 No warnings about unsafe-inline.
|
||
Updated•2 years ago
|
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Component: Security → DOM: Security
Product: Firefox → Core
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•