#13699 closed bug (notabug)
CSP Warning
| Reported by: | anonymous | Owned by: | |
|---|---|---|---|
| Priority: | undecided | Milestone: | None |
| Component: | unfiled | Version: | 1.9.1 |
| Keywords: | Cc: | ||
| Blocked by: | Blocking: |
Description
Inline script base restriction on onsubmit attribute on DIV element.
Using the following content security policy:
Header set "X-Content-Security-Policy" "default-src 'self'; report-uri /csp-report-parser.php; xhr-src 'none'; font-src 'self' *.googleusercontent.com; frame-src 'self' https://maps.google.com; img-src 'self'; media-src 'none'; object-src 'none'; style-src 'self' fonts.googleapis.com; script-src 'self' ajax.googleapis.com;"
Change History (3)
comment:1 Changed 7 years ago by
| Resolution: | → notabug |
|---|---|
| Status: | new → closed |
comment:2 Changed 6 years ago by
Why this ticket was closed as 'notabug'? Similar Ticket 7371 for version 1.4.4 was treated as bug & fixed. I also met this issue, in version 1.9.1 and in 1.10.2 as well. Warning occurs in my case with such CSP settings:
Content-Security-Policy "default-src 'self'" X-Content-Security-Policy "default-src 'self'"
and in rather random fashion (not always, and I do not see any rule).
comment:3 Changed 6 years ago by
The original description was vague and not related to #7371 where the *act of including jQuery* with no user code generated a CSP bug. Clearly there are many ways a page that calls jQuery methods could run afoul of CSP by its own actions, "in rather random fashion". Please don't add comments to unrelated tickets, open your own with a clear reproducible test case.
Support can be found on the forums or on the #jquery irc channel.