Why isn't this inline javascript blocked by content security policy?

Question

I have a page that I set the script-src of the content security policy like this:

script-src 'self' *.uservoice.com *.intuit.com ajax.googleapis.com localhost:* 

When I load the page with a hard-coded inline script I have created myself to test, it is blocked like expected:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *.uservoice.com *.intuit.com ajax.googleapis.com localhost:* ". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.

However, when I insert a new script tag dynamically, the script isn't blocked, for example, this still executes:

$("body").append("<script>alert('xss');</script>")

I am using Chrome as the browser here for testing. I was hoping that this script would be blocked as well, since that would really help to prevent xss. Is there something I can change to block this type of script injection as well?

Answer 1

The script you add with append or innerHtml won't be executed unless you use eval(). So it's not violating CSP.

Although this may look like a cross-site scripting attack, the result is harmless. HTML5 specifies that a tag inserted via innerHTML should not execute. 1

See script elements inserted using innerHTML do not execute when they are inserted.