Closed
Bug 1178496
Opened 9 years ago
Closed 8 years ago
Error message for CSP blocked inline scripts or style is confusing
Categories
(Core :: DOM: Security, defect)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1279894
People
(Reporter: gene, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog])
If you browse with Firefox to a website with CSP policy like this : > Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com https://login.persona.org; style-src 'self' https://fonts.googleapis.com; and webpage contents which include inlined CSS (e.g. style="border:1px;" ) or inlined scripts (e.g. <script>var foo="bar";</script> ) Errors which look like this are presented in the dev tools console > Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src https://example.com https://fonts.googleapis.com"). The cause of this error is that with a CSP policy that doesn't include the > 'unsafe-inline' directive in the > script-src or > style-src sections, inlined css or js are blocked. Would it be possible to improve this text to clarify that a "resource at self" actually means inline style or script?
Comment 1•9 years ago
|
||
The text is not in devtools, but dom/ here: https://dxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties#12
Component: Developer Tools: Console → DOM: Security
Product: Firefox → Core
Updated•8 years ago
|
Whiteboard: [domsecurity-backlog]
Comment 2•8 years ago
|
||
I pumped Bug 1279894 to be a P1, which is a duplicate of this bug!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•