Firefox17 and CSP - inline broken? from sec_ext on 2012-12-06 (public-webappsec@w3.org from December 2012)

From: sec_ext <sec_ext@fb.com>
Date: Thu, 6 Dec 2012 00:12:42 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1717B6CD962D9D4D88D308CA9D0CC0EAA5303397@PRN-MBX02-2.TheFacebook.com>

We noticed CSP parsing changed in Firefox17 (our header stopped working) and we saw https://bugzilla.mozilla.org/show_bug.cgi?id=737064

Any attempts at allowing inline scripts does not work for us.

Anyone else having this issue?

Example that's failing and resulting in 'CSP WARN: Directive inline script base restriction violated' console errors:

x-content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com 'unsafe-inline' 'unsafe-eval'

Thanks

Received on Thursday, 6 December 2012 00:13:07 UTC