CSP header with: default-src 'none' 'nonce-xxx' does not execute inline scripts
Categories
(Core :: DOM: Security, defect)
Tracking
()
People
(Reporter: ceckoslab, Unassigned)
Details
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36
Steps to reproduce:
- Load a page with simple inline script <script nonce="xx-unique-nonce">alert("executed")</script>
- Send a CSP header from Origin that looks like --> default-src 'none' 'nonce-xx-unique-nonce'
Actual results:
The inline script was blocked by the browser.
The browser console reported:
- [warning]: Content Security Policy: Ignoring unknown option 'none'
- [error]: Content Security Policy: The page’s settings blocked the loading of a resource at inline (“default-src”).
Expected results:
Not quite sure because Chrome and Safari are executing the script under the same condition.
Also the script runs if I use script-src rather than default-src.
E.g. --> script-src 'none' 'nonce-xx-unique-nonce'
This is what I got in browser's console:
- [warning]: Content Security Policy: Ignoring unknown option 'none'
- [error]: Content Security Policy: The page’s settings blocked the loading of a resource at https://s2.go-mpulse.net/boomerang/8WYVA-VHWT3-NJU5F-XVBLK-47DNY (“script-src”).
The error message came from a script that is a loader for a library Boomerang JS. I expected this script to be blocked.
Additionally:
Chrome and Safari execute the script when we have:
- default-src 'none' 'nonce-xx-unique-nonce'
- script-src 'none' 'nonce-xx-unique-nonce'
|
||
Updated•5 years ago
|
|
||
Updated•5 years ago
|
Thanks for looking at this issue.
I see that we resolved it as duplicate but do we know why we get this warning message in the console?
[warning]: Content Security Policy: Ignoring unknown option 'none'
I assumed that the warning is a hint about the browser's behavior.
Description
•