calavera
commented
7 years ago Thanks for reporting this @budparr. At this time, the playground only validates the formatting of the rules, not their content. It would be interesting to validate the rules themselves, but I don't have any plan/time to implement that in the near future.
We'll definitely take contributions if you want to take a stab at the problem and implement a validator for the rules themselves.
budparr
- Do you want to request a feature or report a bug? Bug - What is the current behavior? This CSP directive passes:
Though according to the Content Security Policy Reference Site and the W3C Source List Syntax keywords sources, such as
unsafe-inlineshould be surrounded with a single quote mark.- If the current behavior is a bug, please provide the steps to reproduce. Test the above Content Security Policy directive in https://play.netlify.com/headers, observe passing indication, and then add the same directive to a site and deploy. View site in Chrome's devtools, which will generate the error "Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' unsafe-inline..." Replace
unsafe-inlinewith'unsafe-inline'and the error disappears.- What is the expected behavior? An error thrown in the playground.