Menu
So I implemented CSP for my web app and it works perfectly fine in Chrome. All inline scripts with nonce are executed; and the ones without it are not executed.
In Safari however, this is the message I see in the console:
The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-fbe23fb21d40c38e8df7c0a16357dd3ec4be86ca233cb41206ac5f897cf9a103''. It will be ignored.
Header:
Content-Security-Policy script-src 'nonce-cb28e5c8a2b833169bb8d1fa686f659fed9b3bf8ea52b86916bcaf20a04b3209' 'self'
None of the inline scripts are executed , even the ones with nonce.
741
Safari does not yet support nonces (please bug your local webkit representative to support this) but Firefox and Chrome have implemented the standard behavior which is backwards compatible. Namely, if a nonce is present then 'unsafe-inline' is ignored.
Send both 'unsafe-inline' and your nonce and you will get the desired behavior. Safari will complain about the "unknown source value" but it will work as intended.
See http://www.w3.org/TR/CSP2/#directive-script-src
72
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
