Reputation: 2045
Edge ignores script-src in Content Security Policy
I have the following Content Security Policy
value="default-src 'self'
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net;
img-src 'self' data: https://s3.amazonaws.com;
frame-src 'self' *.salesforce.com *.force.com;"
This works fine in Chrome and Firefox. In Edge it is not running because we have some inline scripts (ie onClick="foo()).
My understanding is the the default-src sets the defaults and the script-src should override those defaults.
Does anyone know if this is a bug in Edge, or if I've botched it in some way?
Upvotes: 2
Views: 2536
Answers (1)
Reputation: 2045
Turns out the problem was that though that is the way our CSP looks in our web.test.config, the transform puts the following into the web.config
value="default-src 'self'
 style-src 'self' 'unsafe-inline'; 

script-src 'self' 'unsafe-inline' 'unsafe-eval' http://svc.webspellchecker.net; 
 img-src 'self' data: https://s3.amazonaws.com;
 frame-src 'self' *.salesforce.com *.force.com;"
Basically the XDT replaces the CRLFs in the value with , which causes Edge to give up on processing the CSP so you only get the first line.
Bug submitted. https://connect.microsoft.com/IE/feedbackdetail/view/2272282/edge-stops-processing-content-security-policy-on-xd-xa
Upvotes: 4
Related Questions
- Refused to apply inline style because it violates the following Content Security Policy directive
- Jenkins Content Security Policy
- Refused to load the script because it violates the following Content Security Policy directive
- Content Security Policy: The page's settings blocked the loading of a resource
- How to use aframe.js with Content Security Policy on WebServer
- Content security policy including a script
- Call to function() blocked by CSP even after adding 'unsafe-eval'
- Avoiding `script-src 'unsafe-inline'` with Content-Security-Policy and JavaScript