Skip to main content

Bug Tracker

Side navigation

#13699 closed bug (notabug)

Opened March 31, 2013 02:08PM UTC

Closed April 01, 2013 04:49PM UTC

Last modified November 06, 2013 07:14PM UTC

CSP Warning

Reported by: anonymous Owned by:
Priority: undecided Milestone: None
Component: unfiled Version: 1.9.1
Keywords: Cc:
Blocked by: Blocking:

Inline script base restriction on onsubmit attribute on DIV element.

Using the following content security policy:

Header set "X-Content-Security-Policy" "default-src 'self'; report-uri /csp-report-parser.php; xhr-src 'none'; font-src 'self' *; frame-src 'self'; img-src 'self'; media-src 'none'; object-src 'none'; style-src 'self'; script-src 'self';"
Attachments (0)
Change History (3)

Changed April 01, 2013 04:49PM UTC by timmywil comment:1

resolution: → notabug
status: newclosed

Support can be found on the forums or on the #jquery irc channel.

Changed November 06, 2013 06:26AM UTC by comment:2

Why this ticket was closed as 'notabug'? Similar Ticket 7371 for version 1.4.4 was treated as bug & fixed. I also met this issue, in version 1.9.1 and in 1.10.2 as well. Warning occurs in my case with such CSP settings:

Content-Security-Policy "default-src 'self'"

X-Content-Security-Policy "default-src 'self'"

and in rather random fashion (not always, and I do not see any rule).

Changed November 06, 2013 07:14PM UTC by dmethvin comment:3

The original description was vague and not related to #7371 where the *act of including jQuery* with no user code generated a CSP bug. Clearly there are many ways a page that calls jQuery methods could run afoul of CSP by its own actions, "in rather random fashion". Please don't add comments to unrelated tickets, open your own with a clear reproducible test case.