Don't penalize 'unsafe-inline' if hash or nonce source is used, in CSP test #88
Comments
|
Oh, this is a good catch. I'll try to work up a code fix for this over the next week. Thanks for pointing that out. Despite working with CSP for so long there are still sometimes little things that are easy to miss. Thanks for reporting! |
|
No problem :) |
|
+1 on this! |
april
changed the title
april
added a commit
to april/http-observatory
that referenced
this issue
Aug 30, 2016
|
This should be live now, and I can see that it's now judging things at least more correctly. Let me know if it's still behaving incorrectly, and thanks so much for reporting the bug! |
gdestuynder
pushed a commit
to gdestuynder/http-observatory
that referenced
this issue
Sep 1, 2016
|
Following CSP level 2, 'unsafe-inline' in 'style-src' should probably be treated in a similar way. |
|
Could you open up a new bug for that, please? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Hello,
After analyzing blackfire.io https://observatory.mozilla.org/analyze.html?host=blackfire.io , the report tells me:
Content Security Policy (CSP) implemented, but allows 'unsafe-inline' inside script-srcThis is true in case of CSP level1. However, since level2, it's recommended to add
unsafe-inlineto thescript-srcdirective when you're using a nonce or a hash. In this particular case, theunsafe-inlineis discarded, except for browser that do not support CSP level2.What about taking care of this?
The text was updated successfully, but these errors were encountered: