Created attachment 8817006 [details] Testcase See attached testcase. It produces an error message like so: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://wherever-you-load-it-from”). Source: alert("If I ran, you don't support CS.... which is really confusing, because the CSP allows "self" but we're saying we blocked loading from "self"! For comparison, Chrome's error message here is: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-oghgfvQDdGeEAWYqDGP5zOPOH2b6biW/qrMalGw86rY='), or a nonce ('nonce-...') is required to enable inline execution. which is much clearer about what actually happened. Christoph, do you know who owns this stuff?
We have an effort in improving our CSP console messages. Arroway, are you still leading that effort? If not, please let me know and we should get a roadmap around those improvements. thanks!
Flags: needinfo?(ckerschb) → needinfo?(stephouillon)
I don't have anything to report and it's not likely that I'll focus on that soon.
(In reply to Stephanie Ouillon [:arroway] from comment #2) > I don't have anything to report and it's not likely that I'll focus on that > soon. Freddy, any chance you wanna take on the work on this bug? Would be great to have.
Yes, Taking this and also 1242016. Though I will likely not be able to prioritize this before Q1 2017.
Assignee: nobody → fbraun
5 months ago
Assignee: fbraun → nobody
You need to log in before you can comment on or make changes to this bug.