W3C home > Mailing lists > Public > public-webappsec@w3.org > December 2012

Firefox17 and CSP - inline broken?

From: sec_ext <sec_ext@fb.com>
Date: Thu, 6 Dec 2012 00:12:42 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1717B6CD962D9D4D88D308CA9D0CC0EAA5303397@PRN-MBX02-2.TheFacebook.com>
We noticed CSP parsing changed in Firefox17 (our header stopped working) and we saw https://bugzilla.mozilla.org/show_bug.cgi?id=737064

Any attempts at allowing inline scripts does not work for us.

Anyone else having this issue?

Example that's failing and resulting in 'CSP WARN: Directive inline script base restriction violated' console errors:

x-content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com 'unsafe-inline' 'unsafe-eval'

Received on Thursday, 6 December 2012 00:13:07 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:30 UTC