User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/47.0.2526.73 Safari/537.36 Steps to reproduce: I visited a page whose Content Security Policy did not include `unsafe-inline`, but did include inline script. Actual results: The violation report's `blocked-uri` field was an empty string. Expected results: The (very new) https://w3c.github.io/webappsec-csp/#violation-resource defines a violation's resource as either a URL, or the string "inline" or "eval". The latter two are returned instead of an empty string when a violation occurs because of a mismatch with `unsafe-inline` or `unsafe-eval`. Ideally, the `blocked-uri` in the report would have contained one of those strings.
Summary: CS: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated. → CSP: Return 'inline' or 'eval' when `'unsafe-inline'` or `'unsafe-eval'` are violated.
Chrome has implemented this behavior in https://codereview.chromium.org/1486993002. Ms2ger assures me that your diff tools are better, but hopefully you can parse something useful out of that patch. :)
Status: UNCONFIRMED → NEW
Component: Untriaged → DOM: Security
Ever confirmed: true
Product: Firefox → Core
You need to log in before you can comment on or make changes to this bug.