CSP: Directive 'inline script base restriction' violated #137

Open
michielbdejong opened this Issue Dec 18, 2011 · 2 comments

Comments

Projects
None yet
2 participants

When visiting http://demos.webintents.org/ using Firefox (in my case FF 9.0 on Mas OSX Lion) you see the following error in the firebug console:

CSP: Directive "inline script base restriction" violated
var _gaq = _gaq || []; _gaq.push(['... demos....nts.org (line 85)

CSP: Directive "inline script base restriction" violated
(function() { var po = document.createE... demos....nts.org (line 98)

This issue seems to come from the CSP header:
curl -i http://demos.webintents.org | head
[...]
X-Content-Security-Policy: allow 'self'; img-src *; script-src www.google-analytics.com apis.google.com;
[...]

where probably script-src need an additional 'self' or '' or something of the kind. It also stops you from executing javascript in the firebug console.

This seems to cause web intents to not work at all in firefox (or at least i couldn't get it to work and couldn't debug what was happening, due to this script restriction).

Owner

PaulKinlan commented Dec 22, 2011

It looks like 'self' and webintents.org are needed. Fixing now. Hopefully deployed soon.

Owner

PaulKinlan commented Dec 22, 2011

It is actually quite a bit more involved. Need to add unsafe-inline and font-src and frame-src

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment