Issue with "CSP: script-src": (short summary here please) #5286
Description
MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src (and https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src-elem)
What information was incorrect, unhelpful, or incomplete?
in both pages, the explanation for the 'unsafe-inline' source mentions "inline <style> elements". But given that these directives (script-src, and script-src-elem) are about specifying sources for JavaScript, surely this means that "inline <style> elements" are excluded?
Specific section or headline?
section explaining 'unsafe-inline'
What did you expect to see?
An explanation that is relevant to the directive, and that does not mention inline <style> elements at all.
ALSO:
- is
'unsafe-inline'even valid forscript-src-elem, given that "The HTTP Content-Security-Policy (CSP) script-src-elem directive specifies valid sources for JavaScript <script> elements, but not inline script event handlers like onclick." ? - when is support for
script-src-elemcoming to Firefox?
Did you test this? If so, how?
MDN Content page report details
- Folder:
en-us/web/http/headers/content-security-policy/script-src - MDN URL: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
- GitHub URL: https://github.com/mdn/content/blob/main/files/en-us/web/http/headers/content-security-policy/script-src/index.html
- Last commit: 8d4fd70
- Document last modified: 2021-03-17T20:27:56.000Z