CSP Warnings for unsafe-inline despite nonce

RESOLVED DUPLICATE of bug 1026520

Status

()

defect
RESOLVED DUPLICATE of bug 1026520
4 years ago
4 years ago

People

(Reporter: devd, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Reporter

Description

4 years ago
Say a page has a CSP policy that does not allow unsafe-inline but allows inline script tags using nonce.

On hitting this script tag with the right nonce tag, the script loads fine but Firefox still shows a warning.
Reporter

Comment 1

4 years ago
@dveditz pointed out that the bug might be in https://mxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#436 : appending the inline script violation happens before the check/report for nonce/hash.

Comment 2

4 years ago
Also sends csp report out.
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026520
You need to log in before you can comment on or make changes to this bug.