Closed Bug 1165614 Opened 5 years ago Closed 5 years ago
CSP Warnings for unsafe-inline despite nonce
Say a page has a CSP policy that does not allow unsafe-inline but allows inline script tags using nonce. On hitting this script tag with the right nonce tag, the script loads fine but Firefox still shows a warning.
@dveditz pointed out that the bug might be in https://mxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#436 : appending the inline script violation happens before the check/report for nonce/hash.
Also sends csp report out.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026520
You need to log in before you can comment on or make changes to this bug.