Closed Bug 1443349 Opened 7 years ago Closed 7 years ago

CSP Warnings in console from Google Auth

Categories

(Socorro :: Webapp, task)

Product:
Socorro
Component:
Webapp
Type:
task
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: osmose, Unassigned)

Details

Visiting https://crash-stats.mozilla.com/home/product/Firefox produces the following errors in the JS console on Nightly: ``` Content Security Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified Content Security Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified ``` These appear to be caused by the following CSP header from the Google login iframe loaded for the login button: ``` script-src 'nonce-*******' 'unsafe-inline' 'strict-dynamic' https: http: 'unsafe-eval';object-src 'none';base-uri 'none';report-uri /o/cspreport ``` From what I can tell from https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#strict-dynamic, this may be part of a browser compatibility technique to have CSP headers that work on old and new browsers. Ideally we don't have any console errors, but I can't see much we can do here that doesn't involve a larger change like moving off of the current login system. But maybe there's other options?
This goes away soon.
We switched to Mozilla SSO and I don't see those CSP warnings anymore. Marking as FIXED.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.