1441306 - BMO triggers Browser Console error: "Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy."

Status: NEW

(bugzilla.mozilla.org :: General, defect)

Description

[Daniel Holbert [:dholbert]]

STR:
 1. Load https://bugzilla.mozilla.org/enter_bug.cgi in Firefox Nightly in a fresh profile. (This takes you to a login page.)

 2. Open Browser Console (Ctrl+Shift+J) and look at the errors there.


ACTUAL RESULTS:
====
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified  (unknown)

Content Security Policy: This site (https://bugzilla.mozilla.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.  (unknown)
====

I'm filing this bug about the second error there.  Sounds like BMO is asking the browser to notify it (rather than block) for CSP violations, but there is no notification URI provided, which I think means BMO's CSP isn't doing any good at all. (?)

Comment 1

[Daniel Holbert [:dholbert]]

I get the same Browser Console errors (for bugSOME_NUMBER.bmoattachments.org) whenever I load a bugzilla-hosted testcase, e.g. this one:
https://bug1427608.bmoattachments.org/attachment.cgi?id=8952209

That puts the following in my Browser Console:
====
Content Security Policy: Ignoring “'unsafe-inline'” within script-src or style-src: nonce-source or hash-source specified  (unknown)

Content Security Policy: This site (https://bug1427608.bmoattachments.org) has a Report-Only policy without a report URI. CSP will not block and cannot report violations of this policy.  (unknown)
====

Comment 2

[Dylan Hardison [:dylan] (he/him)]

Probably we can skip it for attachments, but the point is that we turned on report-only for all pages that previously had CSP disabled, so that those things can be fixed.