Steps to reproduce: Go to a page with Content-Security-Policy with script-src value that blocks inline scripts. (e.g., http://dev-dashboard.deis.dev.mozaws.net/api/docs/) Expected results: Security console message should say "Refused to execute inline script ..." Actual results: Security console message says "Content Security Policy: The page's settings blocked the loading of a resource at self ..." The especially tricky messaging is the "resource at self" because this particular CSP has 'self' in the directive, so it seems like a bug. Chrome's error message explicitly states that it blocked an *inline script* which makes it much more obvious what's going on.

Christoph, what do you think about this wording? I think we've discussed CSP wording before but I can't seem to find a bug.

(In reply to Brian Grinstead [:bgrins] from comment #1) > Christoph, what do you think about this wording? I think we've discussed > CSP wording before but I can't seem to find a bug. Yes, I really like that update of wording. Using "Refused to execute inline script ..." sounds great to me. Is that a bug that you might take on?

So to be clear, it sounds like the proposal is that we use a different string for inline script violations - instead of using the CSPViolationWithURI string [0]: "The page's settings blocked the loading of a resource at %2$S ("%1$S")." We would use: "Refused to execute inline script "%1$S"" What is the expected %1$S string in your example? Seems it's usually a URL, what would it be for inline script violations? [0]: https://dxr.mozilla.org/mozilla-central/source/dom/locales/en-US/chrome/security/csp.properties#12

The key is to state that we're explicitly blocking inline scripts - not scripts at 'self'. That's the confusing part. However, "Refused to execute" may be ambiguous too - why is Firefox refusing to execute the inline script? The message should probably mention both CSP *and* inline script. Most helpful would be something like Chrome's: "Refused to execute inline script because it violates the following Content Security Policy directive: " It would be helpful to add the "... because it violates the following Content Security Policy directive" to all the CSP messages.

Moving to Core :: Security for further discussion since this message is originating from the platform

Warnings for scripts are similarly cryptic, e.g.: "Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src”)." and "Content Security Policy: The page’s settings blocked the loading of a resource at self (“style-src”). Source: overflow: hidden;." The first example provides no information. The second provides some, but doesn't point to the exact source.