Closed Bug 1204503 Opened 9 years ago Closed 9 years ago

Content security policy, FF does not accept nonce string

Categories

(Core :: Security, defect)

40 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1026520

People

(Reporter: aaatoja, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0
Build ID: 2015082600

Steps to reproduce:

Simple page to reproduce bug:
<?php
header('content-security-policy: script-src \'self\' \'nonce-abc\'');
?>
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" lang="en">
<head>

  <meta charset="utf-8">
  <meta name="viewport" content="width=device-width, initial-scale=1.0"> 
  <script nonce="abc">
      var x = 1;
  </script>
</head>

<body>
    <p>test</p>
</body>
</html>


Actual results:

Every tested browser (older Opera, latest Chromium) accepts and executes script. Firefox is blocking inline resource.


Expected results:

Because nonce is listed as allowed in header FF should execute inline script.
Component: Untriaged → Security
Product: Firefox → Core
Are you sure the script is blocked?  We have bug reports about this situation erroneously reporting that the script was blocked while the script actually runs (e.g. see bug 1165614, bug 1083358, but 1125565).
Depends on: 1026520
Flags: needinfo?(aaatoja)
Yes, You are right. It's just Firefox logging error, script is executed. https://bugzilla.mozilla.org/show_bug.cgi?id=1026520
Flags: needinfo?(aaatoja)
Thanks for double-checking that!
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
No longer depends on: 1026520
You need to log in before you can comment on or make changes to this bug.