Closed Bug 1165614 Opened 5 years ago Closed 5 years ago

CSP Warnings for unsafe-inline despite nonce

Categories

(Core :: Security, defect)

defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1026520

People

(Reporter: devd, Unassigned)

Details

Say a page has a CSP policy that does not allow unsafe-inline but allows inline script tags using nonce.

On hitting this script tag with the right nonce tag, the script loads fine but Firefox still shows a warning.
@dveditz pointed out that the bug might be in https://mxr.mozilla.org/mozilla-central/source/dom/base/nsScriptLoader.cpp#436 : appending the inline script violation happens before the check/report for nonce/hash.
Also sends csp report out.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1026520
You need to log in before you can comment on or make changes to this bug.