Last active
June 16, 2018 11:11
-
-
Save lweichselbaum/9c8e32c592889ffc2f103fce9d45eaea to your computer and use it in GitHub Desktop.
Firefox CSP Bug - Dynamically created script with correct nonce gets blocked because of redirect.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| <!DOCTYPE html> | |
| <html> | |
| <head> | |
| <meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abcd1234'"> | |
| </head> | |
| <body> | |
| <script nonce='abcd1234'> | |
| var s = document.createElement('script'); | |
| s.setAttribute('nonce', 'abcd1234'); | |
| s.src = 'https://goo.gl/jEH8zk'; // redirects to jquery. | |
| document.head.appendChild(s); | |
| </script> | |
| </body> | |
| </html> |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment