search

mdn / content

The content behind MDN Web Docs
https://developer.mozilla.org
Other
9.22k stars 22.5k forks source link

Firefox bug results in nonce in default-src not used as fallback for script-src #15817

Open EricGrange opened 2 years ago

EricGrange commented 2 years ago

MDN URL

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src

What specific section or headline is this issue about?

script-src relationship with default-src table at the start of the article

What information was incorrect, unhelpful, or incomplete?

The documentation states that

default-src fallback | Yes. If this directive is absent, the user agent will look for the default-src directive.

However there is an old bug/limitation of FireFox (detailed in https://bugzilla.mozilla.org/show_bug.cgi?id=1313937) which results in a nonce in default-src not being used as fallback for script-src.

This should be mentioned somewhere in the fallback and / or compatibility issues, as it still affects FireFox at least up to version 100.

What did you expect to see?

Mention that Firefox has lack of support for nonce in default-src

Do you have any supporting links, references, or citations?

https://bugzilla.mozilla.org/show_bug.cgi?id=1313937

Do you have anything more you want to share?

Other navigators (Chromium-based and Safari) support nonce in default-src.

MDN metadata

Page report details * Folder: `en-us/web/http/headers/content-security-policy/script-src` * MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src * GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/script-src/index.md * Last commit: https://github.com/mdn/content/commit/7cbcf01266fa25c283bd8b7acd35f856fb9a7b48 * Document last modified: 2022-02-01T04:18:52.000Z
hamishwillee commented 2 years ago

Thanks @EricGrange . This would normally be a BCD issue. The compatibility issue is "nonce is not supported in default-src".

@queengooborg Reasonable to add this as a note to default-source on firefox? Or do you think we need a subfeature to track the versions more "obviously". I tend to think a note is better for bugs affecting just one platform.

@teoli2003 This probably isn't sufficient because the problem shows up when default-src is a fallback - the note on default src is good, but you won't notice it on script-src page. How about we also add a note on this page here (?): image