[Webkit-unassigned] [Bug 222484] CSP: Link header with rel=preload does not recognize nonces
bugzilla-daemon at webkit.org
bugzilla-daemon at webkit.org
Fri Mar 29 17:40:35 PDT 2024
https://bugs.webkit.org/show_bug.cgi?id=222484
Tao Zhou <tao.zhou at glean.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |tao.zhou at glean.com
--- Comment #4 from Tao Zhou <tao.zhou at glean.com> ---
this issue still exists, and quite strangely, the violation is only reported if its `nonce` only on CSP-Report-Only header, but not when its on CSP header.
so we can observe the violation with following header:
```
Content-Security-Policy: script-src 'self' 'nonce-123';
Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo;
```
but not on:
```
Content-Security-Policy: script-src 'nonce-123';
Content-Security-Policy-Report-Only: script-src 'nonce-123' report-uri /foo;
```
--
You are receiving this mail because:
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.webkit.org/pipermail/webkit-unassigned/attachments/20240330/c343af00/attachment.htm>
More information about the webkit-unassigned
mailing list