as per many discussions we need to do this in 2016. from bug 600692 comment 16: Hey there! I was hoping we could get the conversation started again on CSP for BMO. Although BMO isn't a terribly common source of XSS attacks, it is a particularly high-profile target. As an ideal first CSP target, I was hoping we could implement something like this: Content-Security-Policy: default-src https: Namely, that we can load resources only over https, and we disable all inline scripts. When I apply that policy to BMO Prod, I get about a half-dozen on so minor inline script issues, several of which persist across multiple pages: >bugzilla.mozilla.org/:23 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-AIORuFNrQVH7IxwhuN5eMPlxlUAf+owvn9V9f76XzJY='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. Something related to YAHOO.namespace -- looks easy enough to move to an external file; it's currently just a <script> in <head> >bugzilla.mozilla.org/:77 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-/R3wm+GmaaPngJJakOUAzEEvIguO9JfVsV1BUEwW3ck='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. Looks like it creates a hidden input for Persona or something -- should also not be too terrible to move to an external file >bugzilla.mozilla.org/:154 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-2QBaTW8JqtEuH0xzTQOdcQjRPGIeXJOcPUAfzm7gask='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. More YAHOO stuff, just a <script> tag in <body> >bugzilla.mozilla.org/:172 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-jj1BbCKfjIYDkQEtBwQzi98q2L/NTkCLvGPe7CzJhAs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. More YAHOO stuff, just a <script> tag in <body> >bugzilla.mozilla.org/:281 Refused to execute inline script because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-j24qucoW1tDl3QPYeeP0bxGUvF0510fw+pWtBWgZ7QE='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. An inline script that checks to see if the form is empty >bugzilla.mozilla.org/:132 Refused to execute inline event handler because it violates the following Content Security Policy directive: "default-src https:". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'script-src' was not explicitly set, so 'default-src' is used as a fallback. <body onload=""> -- doesn't do anything It looks like there's quite a lot of inline scripts inside BMO, but it shouldn't (hopefully) be too agonizing to move them to external files. Moving all of the JavaScript to external files is the first step in implementing CSP to disable inline scripts. Plus, as bonus, it should provide a minor performance boost, since the inline code won't be sent along with every page request.

Might it make logical sense to tie this to the "force HTTPS" parameter? Gerv

(In reply to Gervase Markham [:gerv] from comment #2) > Might it make logical sense to tie this to the "force HTTPS" parameter? yes, good point (to allow non-https dev environments).