CSP: Directive 'inline script base restriction' violated #137

Open
michielbdejong opened this Issue Dec 18, 2011 · 2 comments

2 participants

@michielbdejong

When visiting http://demos.webintents.org/ using Firefox (in my case FF 9.0 on Mas OSX Lion) you see the following error in the firebug console:

CSP: Directive "inline script base restriction" violated
var _gaq = _gaq || []; _gaq.push(['... demos....nts.org (line 85)

CSP: Directive "inline script base restriction" violated
(function() { var po = document.createE... demos....nts.org (line 98)

This issue seems to come from the CSP header:
curl -i http://demos.webintents.org | head
[...]
X-Content-Security-Policy: allow 'self'; img-src *; script-src www.google-analytics.com apis.google.com;
[...]

where probably script-src need an additional 'self' or '' or something of the kind. It also stops you from executing javascript in the firebug console.

This seems to cause web intents to not work at all in firefox (or at least i couldn't get it to work and couldn't debug what was happening, due to this script restriction).

@PaulKinlan
Owner

It looks like 'self' and webintents.org are needed. Fixing now. Hopefully deployed soon.

@PaulKinlan
Owner

It is actually quite a bit more involved. Need to add unsafe-inline and font-src and frame-src

@PaulKinlan PaulKinlan pushed a commit that referenced this issue Dec 22, 2011
Paul Kinlan First set of fixes for issues with CSP #137 74e608a
@PaulKinlan PaulKinlan pushed a commit that referenced this issue Dec 22, 2011
Paul Kinlan Fixing more apps for CSP #137 42413fb
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment