- Issue created by @gapple
Firefox had a bug that would not respect 'strict-dynamic'
, nonces, or hashes set on default-src
if it was a fallback for script-src
or style-src
that were not set on a policy. (https://bugzilla.mozilla.org/show_bug.cgi?id=1313937).
CSP module addresses this by copying the default-src
value to the other directives if necessary.
The bug was fixed in Firefox 117 (Released Aug 2023, End of support Sep 2023), but is still present in the ESR 115 release supported until Oct 2024.
After Oct 2024, remove the Firefox bug fix method
Postponed
2.0
Code