Last Comment Bug 846738 - CSP WARN: Failed to parse unrecognized source 'unsafe-inline'
: CSP WARN: Failed to parse unrecognized source 'unsafe-inline'
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: 19 Branch
: x86 Windows XP
-- normal (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2013-03-01 05:16 PST by Pawel Krawczyk
Modified: 2014-03-14 03:07 PDT (History)
4 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Pawel Krawczyk 2013-03-01 05:16:14 PST
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Go to and run Content Security Policy tests, look at JavaScript console.

Actual results:

Firefox logs error messages on received CSP:

[13:47:55.977] CSP WARN:  Failed to parse unrecognized source 'unsafe-inline'

Headers set by the server:

Content-Security-Policy	default-src 'self'; style-src 'unsafe-inline'
X-Webkit-Csp	default-src 'self'; style-src 'unsafe-inline'
x-content-security-policy	default-src 'self'; style-src 'unsafe-inline'

Expected results:

According to CSP 1.0 specification unsafe-inline is valid CSP keyword that should resut in allowing inline JavaScript.
Comment 1 User image Manuela Muntean [Away] 2013-03-05 02:31:08 PST
Works for me with the latest Nightly, build ID: 20130304030933.
I don't get this warning:  CSP WARN:  Failed to parse unrecognized source 'unsafe-inline'.
Comment 2 User image Magnus Reftel 2013-09-05 06:59:45 PDT
Works for me on version 23.0. I get 135/187 pass, no warnings about 'unsafe-inline', but lots of warnings saying:

This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored. @

which seems correct to me.
Comment 3 User image Shreeram Kushwaha 2014-03-14 03:07:45 PDT
Worked for me on 27.0.1
No warnings about unsafe-inline.

Note You need to log in before you can comment on or make changes to this bug.