Mercurial uses inline event handlers in its HTML. This requires script-src: 'unsafe-inline' in the CSP policy. Let's remove the inline event handlers from Mercurial's templates. Ideally we should do this upstream first then backport the changes. But that isn't a strict requirement.
Turns out some Firefox add-on I'm using injects event handlers and this was triggering CSP policy errors.
Status: NEW → RESOLVED
Last Resolved: a year ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.