Bug #102057
open
W3C validator complains about base64 values in CSP
0%
Description
From https://validator.w3.org/nu/
Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)
From the specs at https://www.w3.org/TR/CSP3/#framework-directive-source-list
; Nonces: 'nonce-[nonce goes here]'
nonce-source = "'nonce-" base64-value "'"The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.
For context, the used nonce value was 'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'
- that's
GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrAin base64web - that's
GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrAin base64 (shortened) - that's
GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA==in base64 (complete, 56 chars, 56 mod 4 = 0)
Updated by Oliver Hader 7 months ago
- Related to Task #101751: Use ConsumableNonce instead of blunt Nonce in CSP context added
Updated by Oliver Hader 6 months ago
- Priority changed from Should have to Could have
Please comment below in case you accidentally found this ticket and think it should be fixed - thx :)