Closed Bug 1165614 Opened 9 years ago Closed 9 years ago

CSP Warnings for unsafe-inline despite nonce

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1026520

People

(Reporter: devd, Unassigned)

Details

Say a page has a CSP policy that does not allow unsafe-inline but allows inline script tags using nonce.

On hitting this script tag with the right nonce tag, the script loads fine but Firefox still shows a warning.
@dveditz pointed out that the bug might be in https://mxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#436 : appending the inline script violation happens before the check/report for nonce/hash.
Also sends csp report out.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.