(CSP) "Content Security Policy: Directive inline style base restriction violated" when doing view-source on login.mozilla.org
Categories
(Websites :: login.mozilla.com, defect, P5)
Tracking
(Not tracked)
People
(Reporter: dholbert, Assigned: gcox)
References
(Blocks 1 open bug, )
Details
(Whiteboard: [domsecurity-backlog])
Updated•9 years ago
|
Updated•6 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 1•9 months ago
|
||
It's login.mozilla.com now. Nice find, not sure anyone told anyone who owned the site over the years, though. :(
Adding it to the pile-o-debt.
Assignee | ||
Comment 2•3 months ago
|
||
Just got to a point where I could look at this and I kinda think this is 'not my bug'?
On a Django stage site, I clamped down on CSP ...
CSP_DEFAULT_SRC = ("'none'")
CSP_CONNECT_SRC = ("'self'")
CSP_FONT_SRC = ("'self'")
CSP_IMG_SRC = ("'self'")
CSP_SCRIPT_SRC_ELEM = ("'self'", 'https://code.jquery.com/', 'https://cdn.jsdelivr.net/npm/')
CSP_STYLE_SRC = ("'self'")
CSP_STYLE_SRC_ATTR = ("'self'")
# The non-fallbacks:
CSP_BASE_URI = ("'none'")
CSP_FORM_ACTION = ("'none'")
CSP_FRAME_ANCESTORS = ("'none'")
... and that all looks aggressive-but-not-unreasonable. view-source:
came back:
Content-Security-Policy: The page’s settings blocked an inline style (style-src-attr) from being applied because it violates the following directive: “style-src-attr 'self'”
Source: tab-size: 4
This seems like bug 1873553. Feels like this is a holistic Fx problem, or I'm unclear where I should ease up on CSP restrictions.
Reporter | ||
Comment 3•3 months ago
|
||
Yup, I think this is a Firefox bug. I think it was filed as such (though dormant) until you reclassified it in comment 1. :)
Assignee | ||
Comment 4•3 months ago
|
||
Fair... but until I got into working on it, it wasn't clear to me that it wasn't a site problem.
[checks dates] I don't think I delayed anything, though. :)
I'mma reso-dupe then; bug 1873553 looks like it has 10-years-more-modern take on things.
Description
•