Side navigation
#14422 closed bug (fixed)
Opened October 07, 2013 03:23AM UTC
Closed November 08, 2013 03:00PM UTC
CSP violation including jquery in a blank page
| Reported by: | daniel@heath.cc | Owned by: | |
|---|---|---|---|
| Priority: | low | Milestone: | 1.11 |
| Component: | support | Version: | 1.10.2 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
To reproduce:
Using Firefox 24.0, open the network console then load http://jquerybugs [dot] herokuapp [dot] com
Expected: Page loads with no CSP error reports.
Actual: Console contains a CSP error.
The error message in this case is: [14:17:30.891] Content Security Policy: Directive inline script base restriction violated
Impact: Sites using JQuery cannot effectively use the CSP report violation feature to roll out CSP, because all visitors will trigger a CSP error.
E.G. if I changed the CSP header to use:
Content-Security-Policy-Report-Only default-src 'self'; report-uri '/csp_report'
every visitor to the page would report CSP violations due to JQuery.
Attachments (0)
Change History (2)
Changed October 07, 2013 03:27AM UTC by comment:1
Changed November 08, 2013 03:00PM UTC by comment:2
| component: | unfiled → support |
|---|---|
| milestone: | None → 1.11 |
| priority: | undecided → low |
| resolution: | → fixed |
| status: | new → closed |
Thank you for submitting this bug!
Fixed via https://github.com/jquery/jquery/commit/9e3d0f3109756ec8b6166ff60f0d495b8f1d6aca
I setup a separate site for the testcase because it only works if you set the Content-Security-Policy header, which most hosts won't allow due to the obvious security implications.
Akismet won't allow me to link to the actual test case (calls outbound links to unknown domains spam) so you'll have to reconstruct the url.