New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't penalize 'unsafe-inline' if hash or nonce source is used, in CSP test #88
Comments
Oh, this is a good catch. I'll try to work up a code fix for this over the next week. Thanks for pointing that out. Despite working with CSP for so long there are still sometimes little things that are easy to miss. Thanks for reporting! |
No problem :) |
+1 on this! |
This should be live now, and I can see that it's now judging things at least more correctly. Let me know if it's still behaving incorrectly, and thanks so much for reporting the bug! |
Following CSP level 2, 'unsafe-inline' in 'style-src' should probably be treated in a similar way. |
Could you open up a new bug for that, please? |
Hello,
After analyzing blackfire.io https://observatory.mozilla.org/analyze.html?host=blackfire.io , the report tells me:
Content Security Policy (CSP) implemented, but allows 'unsafe-inline' inside script-src
This is true in case of CSP level1. However, since level2, it's recommended to add
unsafe-inline
to thescript-src
directive when you're using a nonce or a hash. In this particular case, theunsafe-inline
is discarded, except for browser that do not support CSP level2.What about taking care of this?
The text was updated successfully, but these errors were encountered: