Menu
In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy and for other browsers like chrome its Content-Security-Policy
The header value looks something like below where nonce is different for each response.
default-src 'none';
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
object-src 'self';
connect-src 'self';
report-uri /csp/report;
The application is using inline javascript on few pages. So to fix inline-script violation i am adding same nonce value in script tag.<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
Important thing here is the nonce value needs to match with the nonce value in header. some details here
I implemented middleware & tag-helper which adds nonce into header & script tag respectively. And i made sure that both nonce values does match when page renders.
Then just for testing purpose on a page i added script without nonce
<script type="text/javascript">
$(function () {
alert('i am hacker');
})
</script>
Google chrome detects this violation and blocks the above script as expected. However in IE 11 above script gets executed without any violation. Again, I made sure the header in IE is X-Content-Security-Policy
Why IE 11 is not blocking script?
227
CSP Browser Support Content Security Policy is supported by all the major modern browsers, and has been for many years. It is not supported in Internet Explorer.
Under the Security tab click on the Custom level button (be sure that Internet is selected under “Select a zone to view or change security settings”). c. A Security Settings window will appear with numerous options. Scroll down to Display mixed content; select Enable.
Windows 10Select the Security tab, and then select Custom level. In the Settings box, scroll down to the Miscellaneous section, and under Display mixed content choose from the following options: Disable, won't display non-secure items. Enable, will always display non-secure items without asking.
IE 11 doesn’t support use of the nonce attribute and nonce- source value at all.
The only CSP directive IE11 supports is the sandbox directive. It ignores all other CSP directives.
So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone' part from your X-Content-Security-Policy header and IE11 will still allow inline scripts.
IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts, but that will allow all scripts, including inline scripts.
So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.
Also note: IE11 was released in 2013, long before the nonce attribute was specified anywhere. I think the first CSP draft spec that the nonce attribute was specified in was some time in 2014.
http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:
Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the
X-Content-Security-Policyheader.
The nonce attribute is a CSP2 feature. See http://caniuse.com/#feat=contentsecuritypolicy2
Support for nonce and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.
81
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
