Closed Bug 1561924 Opened 5 years ago Closed 2 years ago

Content Security Policy messages are not really helpful

Categories

(Core :: DOM: Security, enhancement, P3)

Product:
Core
Component:
DOM: Security
Type:
enhancement

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: leplatrem, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [domsecurity-backlog1])

While loading my Web page I can see this message in the Console:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).

It does not say anything else (resource? is it script? style?).
And it's really hard to figure out what should be done.

I opened it in Chromium and could read this: Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-TYbwAL1uG5EtDAXm/G5TBQKUeiNI1JIfLMh/yMtxDNM='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.

That is slightly more helpful!

I now know it's about a style and that it uses default-src because nothing was explicitly set.

That's it, a quick feedback for some improvement areas ;)

Type: defect → enhancement

I know, we are working on it -> see bug 1242016.

Blocks: csp-console-logging
Priority: -- → P3
Whiteboard: [domsecurity-backlog1]
Severity: normal → S3

We are working on improving the error messages in other bugs, this doesn't really provide anything new.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.