Bug Tracker

Modify

Ticket #14422 (closed bug: fixed)

Opened 6 months ago

Last modified 5 months ago

CSP violation including jquery in a blank page

Reported by: daniel@… Owned by:
Priority: low Milestone: 1.11
Component: support Version: 1.10.2
Keywords: Cc:
Blocking: Blocked by:

Description

To reproduce: Using Firefox 24.0, open the network console then load  http://jquerybugs [dot] herokuapp [dot] com

Expected: Page loads with no CSP error reports. Actual: Console contains a CSP error.

The error message in this case is: [14:17:30.891] Content Security Policy: Directive inline script base restriction violated

Impact: Sites using JQuery cannot effectively use the CSP report violation feature to roll out CSP, because all visitors will trigger a CSP error.

E.G. if I changed the CSP header to use:

Content-Security-Policy-Report-Only default-src 'self'; report-uri '/csp_report'

every visitor to the page would report CSP violations due to JQuery.

Change History

comment:1 Changed 6 months ago by daniel@…

I setup a separate site for the testcase because it only works if you set the Content-Security-Policy header, which most hosts won't allow due to the obvious security implications.

Akismet won't allow me to link to the actual test case (calls outbound links to unknown domains spam) so you'll have to reconstruct the url.

comment:2 Changed 5 months ago by markelog

  • Priority changed from undecided to low
  • Resolution set to fixed
  • Status changed from new to closed
  • Component changed from unfiled to support
  • Milestone changed from None to 1.11

Please follow the  bug reporting guidlines and use  jsFiddle when providing test cases and demonstrations instead of pasting the code in the ticket.

View

Add a comment

Modify Ticket

Action
as closed
Author


E-mail address and user name can be saved in the Preferences.

 
Note: See TracTickets for help on using tickets.