Content Security Policy in Firefox
Hi, we have encountered with the CSP issue in Firefox:
We have the following CSP <meta> tag in our application:
<meta http-equiv="Content-Security-Policy" content="default-src 'self';
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
base-uri 'self';
frame-src 'self';
media-src 'self';
navigate-to 'self';
form-action 'self';
object-src 'none';
connect-src 'self'">
As you see, we did not specified 'unsafe-inline' nor in script-src, nor in default-src. Which means that inline scripts like <script>alert(1)</script> should not be allowed to execute. But it still works in Firefox and we get an alert popup.
In Chrome and Edge the policy works fine, and blocks the script execution.
Please assist on the issue.
With respect, Victorz
Hi, we have encountered with the CSP issue in Firefox:
We have the following CSP <meta> tag in our application:
<meta http-equiv="Content-Security-Policy" content="default-src 'self';
script-src 'self' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
base-uri 'self';
frame-src 'self';
media-src 'self';
navigate-to 'self';
form-action 'self';
object-src 'none';
connect-src 'self'">
As you see, we did not specified 'unsafe-inline' nor in script-src, nor in default-src. Which means that inline scripts like <script>alert(1)</script> should not be allowed to execute. But it still works in Firefox and we get an alert popup.
In Chrome and Edge the policy works fine, and blocks the script execution.
Please assist on the issue.
With respect, Victorz