Provide content security policy hash and CSP header value in error message
Categories
(Core :: DOM: Security, enhancement, P3)
Tracking
()
People
(Reporter: rob, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [domsecurity-backlog1])
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
Request a page which tries to add a <style> element while CSP policy is set to not allow.
Actual results:
Developer console correctly shows an error message.
"Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”)."
Expected results:
Like in Chrome I would have liked to see the sha hash that I could use to add to my CSP header and possibly the current CSP header values that are set by the server.
Reporter | ||
Updated•5 years ago
|
Updated•5 years ago
|
Comment 1•5 years ago
|
||
Indeed, we are working on a variety of improvements around CSP console messages within Bug 1242016. I am adding this bug as a dependency so it will show up in triage meetings. Putting in the backlog for now.
Comment 2•5 years ago
|
||
Baku, would this be a low hanging fruit for security? I assume the backend already generates the hash or has the hashing function available when logging the CSP warning?
Updated•2 years ago
|
Updated•2 years ago
|
Updated•5 days ago
|
Description
•