Closed Bug 1083358 Opened 11 years ago Closed 10 years ago

Content Security policy violations reported when using nonces without 'unsafe'inline'

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
33 Branch
Platform:
x86_64
Windows 8.1
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1026520

People

(Reporter: klingsen, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 Build ID: 20141011015303 Steps to reproduce: Set nonces for inline scripts/styles, but not the 'unsafe-inline' source. Example web page here: http://www.nwebsec.com/FirefoxCsp Actual results: Inline script is executed as expected, style is applied as expected but there are warnings reported in the console. Firefox also reports CSP violations to server. Expected results: Script/style should be executed, without errors in the console and CSP violation reports being sent. Note that including the 'unsafe-inline' source along with the nonce produces the expected behaviour. See both demo pages to observe the difference.
URL: http://www.nwebsec.com/FirefoxCsp
Component: General → Networking: HTTP
Component: Networking: HTTP → Security
This issue persists in Firefox 42.0a2 (running on Windows 10).
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.