Closed Bug 1178496 Opened 9 years ago Closed 8 years ago

Error message for CSP blocked inline scripts or style is confusing

Categories

(Core :: DOM: Security, defect)

Product:
Core
Component:
DOM: Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1279894

People

(Reporter: gene, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog]) 

If you browse with Firefox to a website with CSP policy like this :

> Content-Security-Policy: default-src 'self'; font-src 'self' https://fonts.gstatic.com; script-src 'self' https://ajax.googleapis.com https://login.persona.org; style-src 'self' https://fonts.googleapis.com;

and webpage contents which include inlined CSS (e.g. style="border:1px;" ) or inlined scripts (e.g. <script>var foo="bar";</script> )

Errors which look like this are presented in the dev tools console

> Content Security Policy: The page's settings blocked the loading of a resource at self ("style-src https://example.com https://fonts.googleapis.com").

The cause of this error is that with a CSP policy that doesn't include the

> 'unsafe-inline'

directive in the

> script-src

or

> style-src

sections, inlined css or js are blocked.

Would it be possible to improve this text to clarify that a "resource at self" actually means inline style or script?
The text is not in devtools, but dom/ here:

https://dxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties#12
Component: Developer Tools: Console → DOM: Security
Product: Firefox → Core
Whiteboard: [domsecurity-backlog]
I pumped Bug 1279894 to be a P1, which is a duplicate of this bug!
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.