Where did you install Firefox from? Help Mozilla uncover 3rd party websites that offer problematic Firefox installation by taking part in our campaign. There will be swag, and you'll be featured in our blog if you manage to report at least 10 valid reports!

Avatar for Username

Поиск в Поддержке

Избегайте мошенников, выдающих себя за службу поддержки. Мы никогда не попросим вас позвонить, отправить текстовое сообщение или поделиться личной информацией. Сообщайте о подозрительной активности, используя функцию «Пожаловаться».

Learn More

Эта тема была архивирована. Если вам нужна помощь, задайте новый вопрос.

firefox and csp

APJau3Rr
APJau3Rr
more options

Hi, At the moment I#m using Firefox 64.0 on a win10 laptop. Up to now I used Firefox Quantum 60.4esr on a Linux installation, but I thought it better to use an up to date win version. On my three page WordPress installation I am using a firewall plugin that lets me handle the frontend (Interaction user -blog) and backend (my interaction with WordPress core, themes and plugins) seperately concerning CSP . I'm just starting out (newbie) and as I had read that unsafe-inline and unsafe-eval were dangerous I decided to hash the inline scripts used in the blog (script-src 'self' 'hash' 'hash'...;;) To accomplish this I used Google Chrome, ver. 71.0. At the outset Chrome complained about seven script tags, which I with help of the hashes reduced to two.

Turning to Firefox (cache disabled) I realized that Firefox doesn't seem to care about the hashes: Exactly those inline scripts that I had decimated as problems in chrome popped up again in Firefox, I admit Firefox rejected much more than just the hashes Files on my domain inserted as <script src="https://mydomain/.../file.js"</script> becomes a returning problem, also I would love to know how to handle onload or onerror or such that is embedded in <link rel > tags

To sum things up: Why the different behaviour concerning hashes between Chrome and Firefox? How to CSP a file src'd in a script tag if its on the same domain? How about events embedded in Link tags?

Hoping for a reply asuring you that I have done my best to solve this on my own. Best Regards

Hi, At the moment I#m using Firefox 64.0 on a win10 laptop. Up to now I used Firefox Quantum 60.4esr on a Linux installation, but I thought it better to use an up to date win version. On my three page WordPress installation I am using a firewall plugin that lets me handle the frontend (Interaction user -blog) and backend (my interaction with WordPress core, themes and plugins) seperately concerning CSP . I'm just starting out (newbie) and as I had read that unsafe-inline and unsafe-eval were dangerous I decided to hash the inline scripts used in the blog (script-src 'self' 'hash' 'hash'...;;) To accomplish this I used Google Chrome, ver. 71.0. At the outset Chrome complained about seven script tags, which I with help of the hashes reduced to two. Turning to Firefox (cache disabled) I realized that Firefox doesn't seem to care about the hashes: Exactly those inline scripts that I had decimated as problems in chrome popped up again in Firefox, I admit Firefox rejected much more than just the hashes Files on my domain inserted as &lt;script src="https://mydomain/.../file.js"&lt;/script&gt; becomes a returning problem, also I would love to know how to handle onload or onerror or such that is embedded in &lt;link rel &gt; tags To sum things up: Why the different behaviour concerning hashes between Chrome and Firefox? How to CSP a file src'd in a script tag if its on the same domain? How about events embedded in Link tags? Hoping for a reply asuring you that I have done my best to solve this on my own. Best Regards

Изменено cor-el

Выбранное решение

APJau3Rr said

How about events embedded in Link tags?

For example, onclick? I think you'll need to move those to a script block if you block inline scripts. See:

https://developer.mozilla.org/docs/Web/API/EventTarget/addEventListener

Прочитайте этот ответ в контексте 👍 1

Все ответы (4)

cor-el
cor-el
  • Moderator
  • Top 10 Contributor
more options

Try to ask advice at the Stack Overflow forum site.

APJau3Rr
APJau3Rr Задавший вопрос
more options

Hi cor-el, 

 first of all thanks for your answer.

As for https://support.mozilla.org/en-US/kb/where-go-developer-support - well I'm no developer, just a normal user. As for Stackoverflow, I hoped a community of firefox users would know more about Firefox. If you still thik I could put a question at Mozilla Developer Support just let me know and I set my question as resolved.

Thanks for your time and Best Regards

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Hi APJau3Rr, can you give a link to a page where there's a problem?

Mozilla has a page describing hashing inline scripts here: https://developer.mozilla.org/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script

You mentioned a firewall tool --

APJau3Rr said

On my three page WordPress installation I am using a firewall plugin that lets me handle the frontend (Interaction user -blog) and backend (my interaction with WordPress core, themes and plugins) seperately concerning CSP . I'm just starting out (newbie) and as I had read that unsafe-inline and unsafe-eval were dangerous I decided to hash the inline scripts used in the blog (script-src 'self' 'hash' 'hash'...;;)

Is that where you are configuring the CSP headers? Maybe they can reality check them for cross-platform compatibility. Or in other words, maybe they allow things that don't work in Firefox without warning you...

Изменено jscher2000 - Support Volunteer

jscher2000 - Support Volunteer
jscher2000 - Support Volunteer
  • Top 10 Contributor
more options

Выбранное решение

APJau3Rr said

How about events embedded in Link tags?

For example, onclick? I think you'll need to move those to a script block if you block inline scripts. See:

https://developer.mozilla.org/docs/Web/API/EventTarget/addEventListener