User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv:44.0) Gecko/20100101 Firefox/44.0 Build ID: 20151124004047 Steps to reproduce: Visit http://demos.scheurle.info/firefox/csp-hash-source/ Actual results: Red text reading "Your CSP is broken!" is displayed. Expected results: Green text reading "Your CSP works fine." should be displayed. => The red text is injected by some inline <style> tag, which, according to the specs (link can be found on the page mentioned above), should never be evaluated.

Comment on attachment 8691719 [details] Screenshot Screenshot showing: * the CSP beeing defined * the styles included * the actual page * the relevant part from the specs

Hi Chris, thanks for reporting. Please note that Meta CSP is only supported after FF 45 [See Bug 663570]. I only did a quick check, and it seems to be blocking correclty. However, the error is not displayed in the web console, which is definitely a bug. I'll have to investigate.

I used Meta tags in the demo to keep things compact, but I encountered the same behaviour when using HTTP headers. I just checked the demo with FF 45.0 and FF 46.0a2 and both are *not* blocking anything. Otherwise, there would be no text reading "Your CSP is broken!" at the top of the page.

Thanks Chris for reporting this bug. I know what's going on, we only implemented the 'ignore unsafe-inline part' for scripts, but not for styles [1]. Obviously that needs to be updated and fixed. [1] http://hg.mozilla.org/mozilla-central/rev/eeece72a1d99#l2.125

Kate, regarding |mCurChar(nullptr)|. It seems something is off with that line-ending. I think we should just update that part with this patch and land as is. Other than that, the patch is pretty straight forward. Let me know if you have any questions. Thanks!

Comment on attachment 8729715 [details] [diff] [review] bug_1227813_style_src_unsafe_inline.patch Review of attachment 8729715 [details] [diff] [review]: ----------------------------------------------------------------- +1

oh wait, there is a problem in the localization.

Sorry I missed that the first time when I flagged you for review. Anyway, we should also update the localization to include 'style-src' when logging to the console. Just tested - works fine.

Comment on attachment 8729726 [details] [diff] [review] bug_1227813_style_src_unsafe_inline.patch Review of attachment 8729726 [details] [diff] [review]: ----------------------------------------------------------------- +1 with l10n

now for real :-)