Reputation:
Firefox gives an error with a CSP policy that shouldn't happen
A firefox addon with the following csp in the sidebar html document: <meta http-equiv="Content-Security-Policy" content="style-src *;">
Gives this error with a <style></style> embedded in the same html document of that policy
Error:
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“style-src”).
I get the same error with "style-src 'self';" or "default-src *;" or etc, it only works when i dont use default-src or style-src
This shouldn't happen so please tell me if i missed something
Thanks for your time
Upvotes: 0
Views: 162
Answers (1)
Reputation: 8546
'self' and * allow external sources only (ie <link href='https://example.com' rel='stylesheet'>).
To allow inline styles requires 'unsafe-inline' or 'nonce-value' token. For example:
<meta http-equiv="Content-Security-Policy" content="style-src 'nonce-abcFe45';">
and in the HTML:
<style nonce="abcFe45">
...
</style>
Or <meta http-equiv="Content-Security-Policy" content="style-src 'unsafe-inline';"> will allow any inline <style></style> blocks and <tag style='color:red'> too.
Upvotes: 0
Related Questions
- CSP issue in firefox
- Error: Content Security Policy: The page’s settings blocked the loading of a resource
- Why does Firefox always give a warning with CSP: default-src 'self'?
- Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”) firefox webextensions
- Strange CSP error in Firefox
- Content Security Policy failing on line 1 (Firefox 57.0)
- Mozilla Observatory says I don't have a CSP, but I do
- CSP warning firebug
- Content Security Policy on Mozilla extension
- CSP and browser extensions