Menu
I have a web server that generates a http/html response to a GET request. I have added the following response header: content-security-policy: default-src 'nonce-Z2lnkA9A00KuJsXvx94P6hyDdyRUaxFCiV9lUS0XgWo' 'self' *.my-org.net *.my-org.com fonts.googleapis.com fonts.gstatic.com *.amazon.com;.
I then add the following tags to my html document:
<!-- these tags are blocked in firefox -->
<style nonce="Z2lnkA9A00KuJsXvx94P6hyDdyRUaxFCiV9lUS0XgWo"> some inline code ....
<script nonce="Z2lnkA9A00KuJsXvx94P6hyDdyRUaxFCiV9lUS0XgWo"> some inline code ....
<!-- this tag works as expected in all browsers-->
<script src="/scripts/utils.js"></script>
This code executes correctly in chrome and edge, but firefox is blocking the inline script tags, while allowing the fetched script tags to execute.
The error in the firefox console is: Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
247
It seems like Firefox doesn't support nonces in default-src. If you specify the script-src and style-src directives with the necessary sources it should work. I tested this with Firefox 77 and 79.
91
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
