Don't penalize 'unsafe-inline' if hash or nonce source is used in 'style-src' part of CSP #277

fmeum · 2017-09-22T17:03:11Z

According to CSP Level 2, 'unsafe-inline' in 'script-src' or 'style-src' will be ignored if a hash or nonce source is used. This is quite convenient as one can maintain backwards compatibility without sacrificing security in modern user agents. Observatory no longer shows a warning for this in the case of 'script-src' since Issue #88 has been closed, but in 'style-src' it still does.

Fixes mozilla#277.

fmeum added a commit to fmeum/http-observatory that referenced this issue Oct 21, 2017

Don't penalize 'unsafe-inline' + hash/nonce source in style-src

8ae6f67

Fixes mozilla#277.

fmeum mentioned this issue Oct 21, 2017

Don't penalize 'unsafe-inline' + hash/nonce source in style-src #290

Merged

fmeum added a commit to fmeum/http-observatory that referenced this issue Dec 6, 2017

Don't penalize 'unsafe-inline' + hash/nonce source in style-src

7ac2497

Fixes mozilla#277.

fmeum added a commit to fmeum/http-observatory that referenced this issue Dec 6, 2017

Don't penalize 'unsafe-inline' + hash/nonce source in style-src

7c55cb4

Fixes mozilla#277.

april closed this as completed in #290 Dec 6, 2017

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Don't penalize 'unsafe-inline' if hash or nonce source is used in 'style-src' part of CSP #277

Don't penalize 'unsafe-inline' if hash or nonce source is used in 'style-src' part of CSP #277

fmeum commented Sep 22, 2017

Don't penalize 'unsafe-inline' if hash or nonce source is used in 'style-src' part of CSP #277

Don't penalize 'unsafe-inline' if hash or nonce source is used in 'style-src' part of CSP #277

Comments

fmeum commented Sep 22, 2017