Bug #102057
Updated by Oliver Hader 7 months ago
From https://validator.w3.org/nu/
> Warning: Content-Security-Policy HTTP header: Bad content security policy: Invalid base64-value (should be multiple of 4 bytes: 54)
From the specs at https://www.w3.org/TR/CSP3/#framework-directive-source-list
> ; Nonces: 'nonce-[nonce goes here]'
> nonce-source = "'nonce-" base64-value "'"
>
> The base64-value grammar allows both base64 and base64url encoding. These encodings are treated as equivalant when processing hash-source values. Nonces, however, are strict string matches: we use the base64-value grammar to limit the characters available, and reduce the complexity for the server-side operator (encodings, etc), but the user agent doesn’t actually care about any underlying value, nor does it do any decoding of the nonce-source value.
---
For context, the used nonce value was @'nonce-GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA'@
* that's @GFsVtSG1EzqppYEFujbWjoMJS2r8FDH_Y8mRjRl-sKg9L0sLpQqsrA@ in base64web
* that's @GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA@ in base64 (shortened)
* that's @GFsVtSG1EzqppYEFujbWjoMJS2r8FDH/Y8mRjRl+sKg9L0sLpQqsrA==@ in base64 (complete, 56 chars, 56 mod 4 = 0)