CODEWITHSUNDEEP
nginxcontent-security-policy
JoaMika
JoaMika

Reputation: 1827

Inline script violates Content Security Policy

I am loading an external script from chargebee.com and I am receiving this error message in console:

[Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'nonce-VVZ+V0c=' 'self' https://maps.googleapis.com https://domain.chargebeestatic.com http://dgkxwewtzsnml.cloudfront.net/static/app-static-assets/hp/hp-4.8.5/". Either the 'unsafe-inline' keyword, a hash ('sjZUY='), or a nonce ('nonce-...') is required to enable inline execution.

My content security policy defined in Nginx is: 

add_header Content-Security-Policy "default-src 'self' https: data: 'unsafe-inline' 'unsafe-eval';" always;

Since I have specified 'unsafe-inline', I am not sure why this error pops up.

Update:

I can see when I click on iframe connector in Safari Console:

<!DOCTYPE>
<html>
<head>
  <title></title>

<script  nonce="Au5oDesccjEDNeeHfk=" >window.cb_hp_cdn_path="//dgkxetzsnml.cloudfront.net/static/app-static-assets/hp/hp-4.8.5/"</script>
</head>
<body>

</body>
<script  src="https://domain.chargebeestatic.com/api/internal/15346543/retrieve_init_info"  nonce="Au5oejEDNGKHHfk=" ></script>
<script type='text/javascript' src='//dgkxwewtzsnml.cloudfront.net/static/app-static-assets/hp/hp-4.8.5/javascripts/vendor.js'></script>

  <script type='text/javascript' src='//dgkxwewtzsnml.cloudfront.net/static/app-static-assets/hp/hp-4.8.5/javascripts/hp_connector.js'></script>

</html>

Upvotes: 3

Views: 14168

Answers (1)

markus
markus

Reputation: 40675

You may not use unsafe-inline and nonces at the same time. As soon as a nonce is added to your CSP, the unsafe-inline directive will be ignored by the browser.

If you're not adding the nonce yourself, then you're not in full control of your CSP because one of your dependencies is adding one which is either merged with yours or worse overwrites yours. Look at your headers with the browser dev tools to see if the headers actually sent correspond with your own CSP. You will find that they don't.

As a matter of fact, using unsafe-inline as a script source negates the whole point of having a CSP in the first place, so the best way to solve this would be to refactor your software to use nonces as well and then add your own nonce to your CSP.

Upvotes: 3

Related Questions