CSP error reporting for blocking an inline script is really confusing




DOM: Security
2 years ago
5 months ago


(Reporter: bz, Unassigned)


(Blocks: 1 bug)


Firefox Tracking Flags

(firefox53 affected)


(Whiteboard: [domsecurity-active])


(1 attachment)

Created attachment 8817006 [details]

See attached testcase.  It produces an error message like so:

  Content Security Policy: The page’s settings blocked the loading of a resource
    at self (“script-src http://wherever-you-load-it-from”). 
    Source:  alert("If I ran, you don't support CS....

which is really confusing, because the CSP allows "self" but we're saying we blocked loading from "self"!

For comparison, Chrome's error message here is:

  Refused to execute inline script because it violates the following
  Content Security Policy directive: "script-src 'self'". Either the
  'unsafe-inline' keyword, a hash
  ('sha256-oghgfvQDdGeEAWYqDGP5zOPOH2b6biW/qrMalGw86rY='), or a nonce
  ('nonce-...') is required to enable inline execution.

which is much clearer about what actually happened.

Christoph, do you know who owns this stuff?
Flags: needinfo?(ckerschb)
We have an effort in improving our CSP console messages. Arroway, are you still leading that effort? If not, please let me know and we should get a roadmap around those improvements. thanks!
Blocks: 1242016
Flags: needinfo?(ckerschb) → needinfo?(stephouillon)
I don't have anything to report and it's not likely that I'll focus on that soon.
Flags: needinfo?(stephouillon)
(In reply to Stephanie Ouillon [:arroway] from comment #2)
> I don't have anything to report and it's not likely that I'll focus on that
> soon.

Freddy, any chance you wanna take on the work on this bug? Would be great to have.
Flags: needinfo?(fbraun)
Yes, Taking this and also 1242016. Though I will likely not be able to prioritize this before Q1 2017.
Assignee: nobody → fbraun
Flags: needinfo?(fbraun)
Priority: -- → P2
Whiteboard: [domsecurity-active]
Assignee: fbraun → nobody
You need to log in before you can comment on or make changes to this bug.