Re: Firefox17 and CSP - inline broken? from sec_ext on 2012-12-06 (public-webappsec@w3.org from December 2012)

From: sec_ext <sec_ext@fb.com>
Date: Thu, 6 Dec 2012 00:19:10 +0000
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <1717B6CD962D9D4D88D308CA9D0CC0EAA53033A2@PRN-MBX02-2.TheFacebook.com>

Nvm found

https://bugzilla.mozilla.org/show_bug.cgi?id=783049

&

https://bugzilla.mozilla.org/show_bug.cgi?id=746978

From: <sec_ext@fb.com<mailto:sec_ext@fb.com>>
Date: Wednesday, December 5, 2012 4:12 PM
To: "public-webappsec@w3.org<mailto:public-webappsec@w3.org>" <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Subject: Firefox17 and CSP - inline broken?
Resent-From: <public-webappsec@w3.org<mailto:public-webappsec@w3.org>>
Resent-Date: Wednesday, December 5, 2012 4:13 PM

We noticed CSP parsing changed in Firefox17 (our header stopped working) and we saw https://bugzilla.mozilla.org/show_bug.cgi?id=737064

Any attempts at allowing inline scripts does not work for us.

Anyone else having this issue?

Example that's failing and resulting in 'CSP WARN: Directive inline script base restriction violated' console errors:

x-content-security-policy: default-src *;script-src https://*.facebook.com http://*.facebook.com 'unsafe-inline' 'unsafe-eval'

Thanks

Received on Thursday, 6 December 2012 00:19:47 UTC