Bug Tracker

Opened 7 years ago

Closed 7 years ago

Last modified 6 years ago

#13699 closed bug (notabug)

CSP Warning

Reported by: anonymous Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.9.1
Keywords: Cc:
Blocked by: Blocking:

Description

Inline script base restriction on onsubmit attribute on DIV element.
Using the following content security policy:

Header set "X-Content-Security-Policy" "default-src 'self'; report-uri /csp-report-parser.php; xhr-src 'none'; font-src 'self' *.googleusercontent.com; frame-src 'self' https://maps.google.com; img-src 'self'; media-src 'none'; object-src 'none'; style-src 'self' fonts.googleapis.com; script-src 'self' ajax.googleapis.com;"

Change History (3)

comment:1 Changed 7 years ago by timmywil

Resolution: notabug
Status: newclosed

Support can be found on the forums or on the #jquery irc channel.

comment:2 Changed 6 years ago by kosinski.marcin@…

Why this ticket was closed as 'notabug'? Similar Ticket 7371 for version 1.4.4 was treated as bug & fixed. I also met this issue, in version 1.9.1 and in 1.10.2 as well. Warning occurs in my case with such CSP settings:

Content-Security-Policy "default-src 'self'" X-Content-Security-Policy "default-src 'self'"

and in rather random fashion (not always, and I do not see any rule).

comment:3 Changed 6 years ago by dmethvin

The original description was vague and not related to #7371 where the *act of including jQuery* with no user code generated a CSP bug. Clearly there are many ways a page that calls jQuery methods could run afoul of CSP by its own actions, "in rather random fashion". Please don't add comments to unrelated tickets, open your own with a clear reproducible test case.

Note: See TracTickets for help on using tickets.