Content-Security-Policy violation for JSON endpoints
Reported by
ch...@cmbuckley.co.uk,
Oct 22
|
||||
Issue descriptionUserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.100 Safari/537.36 Example URL: https://scripts.cmbuckley.co.uk/csp/json.php Steps to reproduce the problem: Load URL above, or serve the following PHP script: <?php header("Content-Security-Policy: default-src 'self'"); header('Content-Type: application/json'); ?>{} What is the expected behavior? The styling for the JSON output are applied without displaying the error. What went wrong? The message in the console: > Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Does it occur on multiple sites: Yes Is it a problem with a plugin? No Did this work before? N/A Does this work in other browsers? No Safari (11.1.2) Chrome version: 69.0.3497.100 Channel: stable OS Version: OS X 10.11.6 Flash Version:
,
Oct 23
chris@ Thanks for filling the issue... Able to reproduce the issue on reported chrome version 69.0.3497.100 also on latest chrome 78.0.3588.0 using Mac 10.13.6, Ubuntu 14.04 and Windows 10. Same behavior is seen on M60(60.0.3112.113) hence considering it as non-regression and marking it as Untriaged. Thanks..!
,
Oct 23
I expect this is part of a wider class of problems, even without considering where extensions have to worry about CSPs...
,
Oct 25
,
Nov 5
looks like whatever we use to render raw json should disregard any csp header |
||||
►
Sign in to add a comment |
||||
Comment 1 by swarnasree.mukkala@chromium.org
, Oct 23