User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release) Build ID: 20130917081302 Steps to reproduce: Send the following CSP header and try to open an SVG image created by systemd-analyze. Content-Security-Policy: default-src 'none'; style-src * 'unsafe-inline'; Changing the order of * and 'unsafe-inline' fixes the issue, but according to the W3C draft source-list is an unordered list of source-expressions and I can't find any mention of order being important. : http://www.w3.org/TR/CSP/#source-list Actual results: Firefox complains about inline style being forbidded by the CSP. Expected results: Firefox should display the image correctly and not complain about CSP issues.
Florian, can you please link to a test case or attach a test case? It will help us move more quickly on this bug.
Test case "* 'unsafe-inline'": http://flo.server-speed.net/tmp/test.svg Test case "'unsafe-inline' *": http://flo.server-speed.net/tmp/test2.svg Both render fine in chromium, in Firefox test.svg (same file, just different CSP header) is pretty much only a black square.
Thanks for the test cases, Florian. This bug is caused by the early return in CSPSourceList.fromString . Sid - wasn't this the cause of another recent bug? Do you recall which?  http://dxr.mozilla.org/mozilla-central/source/content/base/src/CSPUtils.jsm?from=CSPUtils.jsm#l989
I think it was bug 909029. Garrett, you're almost done with that. Probably wouldn't hurt to see if that's the same bug.
The patch for bug 909029 fixes this problem as well.