CSP WARN: Failed to parse unrecognized source 'unsafe-inline'

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
UNCONFIRMED
5 years ago
4 years ago

People

(Reporter: Pawel Krawczyk, Unassigned)

Tracking

19 Branch
x86
Windows XP
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.22 (KHTML, like Gecko) Chrome/25.0.1364.97 Safari/537.22

Steps to reproduce:

Go to http://csptesting.herokuapp.com and run Content Security Policy tests, look at JavaScript console.


Actual results:

Firefox logs error messages on received CSP:

[13:47:55.977] CSP WARN:  Failed to parse unrecognized source 'unsafe-inline'

Headers set by the server:

Content-Security-Policy	default-src 'self'; style-src 'unsafe-inline'
X-Webkit-Csp	default-src 'self'; style-src 'unsafe-inline'
x-content-security-policy	default-src 'self'; style-src 'unsafe-inline'


Expected results:

According to CSP 1.0 specification unsafe-inline is valid CSP keyword that should resut in allowing inline JavaScript.
Works for me with the latest Nightly, build ID: 20130304030933.
I don't get this warning:  CSP WARN:  Failed to parse unrecognized source 'unsafe-inline'.

Updated

5 years ago
Component: Untriaged → Security

Comment 2

4 years ago
Works for me on version 23.0. I get 135/187 pass, no warnings about 'unsafe-inline', but lots of warnings saying:

This site specified both an X-Content-Security-Policy/Report-Only header and a Content-Security-Policy/Report-Only header. The X-Content-Security-Policy/Report-Only header(s) will be ignored. @ http://csptesting.herokuapp.com/test/load/186

which seems correct to me.

Comment 3

4 years ago
Worked for me on 27.0.1
No warnings about unsafe-inline.
You need to log in before you can comment on or make changes to this bug.