User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:50.0) Gecko/20100101 Firefox/50.0 Build ID: 20161209094039 Steps to reproduce: See this PoC: https://sirdarckcat.github.io/csp/nonce.html Actual results: You see an alert(1). Expected results: A CSP warning probably should have shown up.
To add more details.. It seems that for some reason, xml-stylesheet is governed by the script-src directive in CSP. I don't understand *why*, but assuming that's working as intended, then when a 'nonce-random' is present, then you shouldn't allow any XML stylesheets to be loaded.
Oh, actually. I'm wrong. When 'nonce-random' is specified, then 'unsafe-inline' is ignored.. I got things mixed up.. sorry.
OK, I'm honestly confused about what is supposed to happen.. Why does this trigger a script-src CSP warning? http://evilwebsite.com/xss.php?nofil&http_xss=content-security-policy:object-src%20%27none%27;script-src%20%27nonce-random%27%20%27unsafe-inline%27%20%27unsafe-eval%27;&plain_xss=%3Ciframe%20src=%27data:text/xml,%3C?xml%20version=%221.0%22?%3E%20%3C?xml-stylesheet%20href=%22https://sirdarckcat.github.io/csp/xslt.xml%22%20type=%22text/xsl%22?%3E%3Ca%3E%3C/a%3E%27%3E%3C/iframe%3E And where would someone add a nonce here.
Unmarking sec-sensitive per the comments.