Side navigation
#13699 closed bug (notabug)
Opened March 31, 2013 02:08PM UTC
Closed April 01, 2013 04:49PM UTC
Last modified November 06, 2013 07:14PM UTC
CSP Warning
Reported by: | anonymous | Owned by: | |
---|---|---|---|
Priority: | undecided | Milestone: | None |
Component: | unfiled | Version: | 1.9.1 |
Keywords: | Cc: | ||
Blocked by: | Blocking: |
Description
Inline script base restriction on onsubmit attribute on DIV element.
Using the following content security policy:
Header set "X-Content-Security-Policy" "default-src 'self'; report-uri /csp-report-parser.php; xhr-src 'none'; font-src 'self' *.googleusercontent.com; frame-src 'self' https://maps.google.com; img-src 'self'; media-src 'none'; object-src 'none'; style-src 'self' fonts.googleapis.com; script-src 'self' ajax.googleapis.com;"
Attachments (0)
Change History (3)
Changed April 01, 2013 04:49PM UTC by comment:1
resolution: | → notabug |
---|---|
status: | new → closed |
Changed November 06, 2013 06:26AM UTC by comment:2
Why this ticket was closed as 'notabug'? Similar Ticket 7371 for version 1.4.4 was treated as bug & fixed. I also met this issue, in version 1.9.1 and in 1.10.2 as well. Warning occurs in my case with such CSP settings:
Content-Security-Policy "default-src 'self'"
X-Content-Security-Policy "default-src 'self'"
and in rather random fashion (not always, and I do not see any rule).
Changed November 06, 2013 07:14PM UTC by comment:3
The original description was vague and not related to #7371 where the *act of including jQuery* with no user code generated a CSP bug. Clearly there are many ways a page that calls jQuery methods could run afoul of CSP by its own actions, "in rather random fashion". Please don't add comments to unrelated tickets, open your own with a clear reproducible test case.
Support can be found on the forums or on the #jquery irc channel.