Open
Bug 1360130
Opened 7 years ago
Updated 2 years ago
Teach CSP Parser to ignore appearance of nonce in other directives than script-src, style-src and default-src
Categories
(Core :: DOM: Security, enhancement, P3)
Core
DOM: Security
Tracking
()
NEW
People
(Reporter: ckerschb, Unassigned)
Details
(Whiteboard: [domsecurity-backlog1])
Currenlty the CSP parser accepts nonces to appear in *all* directives. Even though we enforce it only for scripts and styles in the backend we should teach the CSP parser to ignore it and spit out a warning in the console for developers.
Reporter | ||
Updated•7 years ago
|
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•