tickets #38315
closedhttps://download.opensuse.org/ violates Content Security Policy
100%
Description
setloc(); Refused to execute inline script because it violates the following Content Security Policy directive: "default-src 'self' opensuse.org". Note that 'script-src' was not explicitly set, so 'default-src' is used as a fallback
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Updated by pjessen over 5 years ago
- Private changed from Yes to No
Not exactly my specialty :-)
Was this already fixed? my Firefox does not complain about any csp violations and the CSP check is enabled.
I see one inline invocation of setloc() (for setting the title of the page).
I could enable that with 'unsafe-inline', but I think that sort of negates the idea?
Updated by AndreasSchwab over 5 years ago
On Aug 27 2018, admin@opensuse.org wrote:
Was this already fixed?
Nope.
my Firefox does not complain about any csp violations and the CSP check is enabled.
How do you know?
I see one inline invocation of setloc() (for setting the title of the page).
It's obviously not executed.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Updated by pjessen over 5 years ago
- Status changed from New to In Progress
AndreasSchwab wrote:
On Aug 27 2018, admin@opensuse.org wrote:
Was this already fixed?
Nope.
my Firefox does not complain about any csp violations and the CSP check is enabled.
How do you know?
There is a setting, look for 'csp' under about:config. It is 'true' be default.
I also tried chromium, no complaints there either. Where did you see a complaint?
I see one inline invocation of setloc() (for setting the title of the page).
It's obviously not executed.
It is here. I see the page title change as I change download directory.
Updated by AndreasSchwab over 5 years ago
On Aug 27 2018, admin@opensuse.org wrote:
There is a setting, look for 'csp' under about:config. It is 'true' be default.
How do you know how a complaint looks like?
It is here. I see the page title change as I change download directory.
Of course, the page title is part of the page.
Andreas.
--
Andreas Schwab, schwab@linux-m68k.org
GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1
"And now for something completely different."
Updated by pjessen over 5 years ago
AndreasSchwab wrote:
On Aug 27 2018, admin@opensuse.org wrote:
There is a setting, look for 'csp' under about:config. It is 'true' be default.
How do you know how a complaint looks like?
I don't know what it looks like, I thought you did, when you reported it?
It is here. I see the page title change as I change download directory.
Of course, the page title is part of the page.
Sorry, I mistyped - I meant the h2 headline just above the directory listing.
In an old browser it is changing, in a newer the setloc() isn't being called, presumably because of the CSP.
I guess that is a good enough indication of CSP being active.
Updated by pjessen about 5 years ago
- Status changed from In Progress to Closed
- % Done changed from 0 to 100