Closed
Bug 1204503
Opened 9 years ago
Closed 9 years ago
Content security policy, FF does not accept nonce string
Categories
(Core :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1026520
People
(Reporter: aaatoja, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0 Build ID: 2015082600 Steps to reproduce: Simple page to reproduce bug: <?php header('content-security-policy: script-src \'self\' \'nonce-abc\''); ?> <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml" lang="en"> <head> <meta charset="utf-8"> <meta name="viewport" content="width=device-width, initial-scale=1.0"> <script nonce="abc"> var x = 1; </script> </head> <body> <p>test</p> </body> </html> Actual results: Every tested browser (older Opera, latest Chromium) accepts and executes script. Firefox is blocking inline resource. Expected results: Because nonce is listed as allowed in header FF should execute inline script.
Comment 1•9 years ago
|
||
Are you sure the script is blocked? We have bug reports about this situation erroneously reporting that the script was blocked while the script actually runs (e.g. see bug 1165614, bug 1083358, but 1125565).
Depends on: 1026520
Flags: needinfo?(aaatoja)
Yes, You are right. It's just Firefox logging error, script is executed. https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Flags: needinfo?(aaatoja)
Comment 3•9 years ago
|
||
Thanks for double-checking that!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•