67008 2011-08-25 18:03:12 -0700 Content Security Policy in Chrome doesn't let whitelisted script run 2011-09-28 11:06:56 -0700 1 1 1 Unclassified WebKit WebCore Misc. 528+ (Nightly build) Unspecified Unspecified RESOLVED DUPLICATE 68921 http://gradgrind.erso.berkeley.edu/appendscripttest.php P2 Normal --- 0 apf abarth abarth oldest_to_newest 457311 0 apf 2011-08-25 18:03:12 -0700 Load http:///gradgrind.erso.berkeley.edu/appendscripttest.php in Chrome and Firefox and you will get two different interpretations of the same CSP. The site has the following CSP set: header("X-Content-Security-Policy: allow 'self'; img-src *"); header("X-WebKit-CSP: default-src 'self'; img-src *"); On the page, a whitelisted script dynamically appends a "script" element to the head, with a source on the same domain. window.onload = function() { var headID = document.getElementsByTagName("head")[0]; var newScript = document.createElement('script'); newScript.type = 'text/javascript'; newScript.src = 'csp-4.js'; headID.appendChild(newScript); } In Firefox, the new script executes. In Chrome, the new script does not execute even though the src is whitelisted. It seems to me like the Firefox behavior is correct and the Chrome behavior is wrong. (My tests done on Google Chrome 15.0.862.0 canary and Firefox 6.0.) 474853 1 abarth 2011-09-28 11:06:56 -0700 *** This bug has been marked as a duplicate of bug 68921 ***