Closed
Bug 1322255
Opened 8 years ago
Closed 5 years ago
CSP error reporting for blocking an inline script is really confusing
Categories
(Core :: DOM: Security, defect, P2)
Core
DOM: Security
Tracking
()
RESOLVED
DUPLICATE
of bug 1279894
Tracking | Status | |
---|---|---|
firefox53 | --- | affected |
People
(Reporter: bzbarsky, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-active])
Attachments
(1 file)
207 bytes,
text/html
|
Details |
See attached testcase. It produces an error message like so: Content Security Policy: The page’s settings blocked the loading of a resource at self (“script-src http://wherever-you-load-it-from”). Source: alert("If I ran, you don't support CS.... which is really confusing, because the CSP allows "self" but we're saying we blocked loading from "self"! For comparison, Chrome's error message here is: Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-oghgfvQDdGeEAWYqDGP5zOPOH2b6biW/qrMalGw86rY='), or a nonce ('nonce-...') is required to enable inline execution. which is much clearer about what actually happened. Christoph, do you know who owns this stuff?
Flags: needinfo?(ckerschb)
Comment 1•8 years ago
|
||
We have an effort in improving our CSP console messages. Arroway, are you still leading that effort? If not, please let me know and we should get a roadmap around those improvements. thanks!
Blocks: csp-console-logging
Flags: needinfo?(ckerschb) → needinfo?(stephouillon)
Comment 2•8 years ago
|
||
I don't have anything to report and it's not likely that I'll focus on that soon.
Flags: needinfo?(stephouillon)
Comment 3•8 years ago
|
||
(In reply to Stephanie Ouillon [:arroway] from comment #2) > I don't have anything to report and it's not likely that I'll focus on that > soon. Freddy, any chance you wanna take on the work on this bug? Would be great to have.
Flags: needinfo?(fbraun)
Comment 4•8 years ago
|
||
Yes, Taking this and also 1242016. Though I will likely not be able to prioritize this before Q1 2017.
Assignee: nobody → fbraun
Flags: needinfo?(fbraun)
Updated•7 years ago
|
Priority: -- → P2
Whiteboard: [domsecurity-active]
Updated•6 years ago
|
Assignee: fbraun → nobody
Comment 5•5 years ago
|
||
It looks like we are reporting inline
now instead of self
, so this is less confusing. More follow up work should be in bug 1279894 to make the message itself more helpful with additional context.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•