grep says these files have <style> tags in them which will break with CSP: apps/browse/templates/browse/base_listing.html apps/amo/templates/amo/category-arrow.html
Is that true? I can't really tell from the spec (https://wiki.mozilla.org/Security/CSP/Specification), but it seems unlikely. style-src Indicates which sources are valid for externally linked stylesheets. User Agents MUST always allow inline stylesheets and style attributes of HTML tags. User Agents MUST NOT request stylesheets from sources not allowed by the style-src directive. User Agents MUST subject stylesheet requests to the allow directive if style-src is not explicitly specified. And does this include style="" attributes too?
Hmm, I think you are right that the bug is invalid, due to: > This includes externally linked stylesheets, as well as > inline <style> elements and style attributes of HTML elements > within the protected document Which would mean as long as we had 'self' in there, we could load off the pages. At least that's how I'm reading it.