Closed
Bug 1322255
Opened 8 years ago
Closed 5 years ago
CSP error reporting for blocking an inline script is really confusing
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1279894
| Tracking | Status | |
|---|---|---|
| firefox53 | --- | affected |
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
|
207 bytes,
text/html
|
Details |
See attached testcase. It produces an error message like so:
Content Security Policy: The page’s settings blocked the loading of a resource
at self (“script-src http://wherever-you-load-it-from”).
Source: alert("If I ran, you don't support CS....
which is really confusing, because the CSP allows "self" but we're saying we blocked loading from "self"!
For comparison, Chrome's error message here is:
Refused to execute inline script because it violates the following
Content Security Policy directive: "script-src 'self'". Either the
'unsafe-inline' keyword, a hash
('sha256-oghgfvQDdGeEAWYqDGP5zOPOH2b6biW/qrMalGw86rY='), or a nonce
('nonce-...') is required to enable inline execution.
which is much clearer about what actually happened.
Christoph, do you know who owns this stuff?Flags: needinfo?(ckerschb)
|
||
Comment 1•8 years ago
|
||
We have an effort in improving our CSP console messages. Arroway, are you still leading that effort? If not, please let me know and we should get a roadmap around those improvements. thanks!
Blocks: csp-console-logging
Flags: needinfo?(ckerschb) → needinfo?(stephouillon)
|
||
Comment 2•8 years ago
|
||
I don't have anything to report and it's not likely that I'll focus on that soon.
Flags: needinfo?(stephouillon)
|
|
||
Comment 3•8 years ago
|
||
(In reply to Stephanie Ouillon [:arroway] from comment #2) > I don't have anything to report and it's not likely that I'll focus on that > soon. Freddy, any chance you wanna take on the work on this bug? Would be great to have.
Flags: needinfo?(fbraun)
|
||
Comment 4•8 years ago
|
||
Yes, Taking this and also 1242016. Though I will likely not be able to prioritize this before Q1 2017.
Assignee: nobody → fbraun
Flags: needinfo?(fbraun)
|
||
Updated•7 years ago
|
Priority: -- → P2
Whiteboard: [domsecurity-active]
|
|
||
Updated•6 years ago
|
Assignee: fbraun → nobody
|
||
Comment 5•5 years ago
|
||
It looks like we are reporting inline now instead of self, so this is less confusing. More follow up work should be in bug 1279894 to make the message itself more helpful with additional context.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•