Open Bug 1360130 Opened 7 years ago Updated 2 years ago

Teach CSP Parser to ignore appearance of nonce in other directives than script-src, style-src and default-src

Categories

(Core :: DOM: Security, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: ckerschb, Unassigned)

Details

(Whiteboard: [domsecurity-backlog1])

Currenlty the CSP parser accepts nonces to appear in *all* directives. Even though we enforce it only for scripts and styles in the backend we should teach the CSP parser to ignore it and spit out a warning in the console for developers.
Blocks: 1355801
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
No longer blocks: 1355801
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.