firefox and csp
Hi, At the moment I#m using Firefox 64.0 on a win10 laptop. Up to now I used Firefox Quantum 60.4esr on a Linux installation, but I thought it better to use an up to date win version. On my three page WordPress installation I am using a firewall plugin that lets me handle the frontend (Interaction user -blog) and backend (my interaction with WordPress core, themes and plugins) seperately concerning CSP . I'm just starting out (newbie) and as I had read that unsafe-inline and unsafe-eval were dangerous I decided to hash the inline scripts used in the blog (script-src 'self' 'hash' 'hash'...;;) To accomplish this I used Google Chrome, ver. 71.0. At the outset Chrome complained about seven script tags, which I with help of the hashes reduced to two.
Turning to Firefox (cache disabled) I realized that Firefox doesn't seem to care about the hashes: Exactly those inline scripts that I had decimated as problems in chrome popped up again in Firefox, I admit Firefox rejected much more than just the hashes Files on my domain inserted as <script src="https://mydomain/.../file.js"</script> becomes a returning problem, also I would love to know how to handle onload or onerror or such that is embedded in <link rel > tags
To sum things up: Why the different behaviour concerning hashes between Chrome and Firefox? How to CSP a file src'd in a script tag if its on the same domain? How about events embedded in Link tags?
Hoping for a reply asuring you that I have done my best to solve this on my own. Best Regards
Zmodyfikowany przez cor-el w dniu
Wybrane rozwiązanie
APJau3Rr said
How about events embedded in Link tags?
For example, onclick? I think you'll need to move those to a script block if you block inline scripts. See:
https://developer.mozilla.org/docs/Web/API/EventTarget/addEventListener
Przeczytaj tę odpowiedź w całym kontekście 👍 1Wszystkie odpowiedzi (4)
Try to ask advice at the Stack Overflow forum site.
Hi cor-el,
first of all thanks for your answer.
As for https://support.mozilla.org/en-US/kb/where-go-developer-support - well I'm no developer, just a normal user. As for Stackoverflow, I hoped a community of firefox users would know more about Firefox. If you still thik I could put a question at Mozilla Developer Support just let me know and I set my question as resolved.
Thanks for your time and Best Regards
Hi APJau3Rr, can you give a link to a page where there's a problem?
Mozilla has a page describing hashing inline scripts here: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
You mentioned a firewall tool --
APJau3Rr said
On my three page WordPress installation I am using a firewall plugin that lets me handle the frontend (Interaction user -blog) and backend (my interaction with WordPress core, themes and plugins) seperately concerning CSP . I'm just starting out (newbie) and as I had read that unsafe-inline and unsafe-eval were dangerous I decided to hash the inline scripts used in the blog (script-src 'self' 'hash' 'hash'...;;)
Is that where you are configuring the CSP headers? Maybe they can reality check them for cross-platform compatibility. Or in other words, maybe they allow things that don't work in Firefox without warning you...
Zmodyfikowany przez jscher2000 - Support Volunteer w dniu
Wybrane rozwiązanie
APJau3Rr said
How about events embedded in Link tags?
For example, onclick? I think you'll need to move those to a script block if you block inline scripts. See:
https://developer.mozilla.org/docs/Web/API/EventTarget/addEventListener