Reputation: 1
Want to remove style src unsafe inline from application
I'm trying to mitigate XSS attacks by setting the Content-Security-Policy header but Chrome keeps throwing an error:
Refused to execute inline event handler because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='". Either the 'unsafe-inline' keyword, a hash ('sha256-...'), or a nonce ('nonce-...') is required to enable inline execution.
Here's my Content-Security-Policy header:
Dont want to include style src unsafe-inline in my application while removing its throwing error
httpResponse.setHeader(
"Content-Security-Policy",
"default-src 'self' 'unsafe-inline' 'unsafe-eval' data:;"
+ "style-src 'self' fonts.googleapis.com 'sha256-CwE3Bg0VYQOIdNAkbB/Btdkhul49qZuwgNCMPgNY5zw=';" + "base-uri 'self' data:;"
+ "frame-src 'self' * data:;" + "connect-src 'self' * data:;"
+ "font-src 'self' fonts.gstatic.com https://cdn.predix-ui.com data:;"
+ "frame-ancestors 'self' data:");
chain.doFilter(request, httpResponse);
Upvotes: 0
Views: 1141
Answers (2)
Reputation: 3475
The error messages includes the script-src directive "script-src 'self' 'nonce-Njg3MGUxNzkyMjViNDZkN2I3YTM3MDAzY2M0MjUxZGEzZmFhNDU0OGZjNDExMWU5OTVmMmMwMTg4NTA3ZmY4OQ=='", while there is no script-src directive in your configured policy. As it is lacking it should use the fallback to default-src, which should allow 'unsafe-inline'. Either you changed the policy in the meantime, or you have multiple policies defined.
The error message says that there is an inline event handler (onclick, onchange etc). These can be allowed with a hash and 'unsafe-hashes' in CSP level 3, but the best solution is to rewrite them with an event listener.
For XSS, you should be most concerned about restricting script-src. XSS through styles is really hard if you restrict the rest of your CSP, see https://scotthelme.co.uk/can-you-get-pwned-with-css/.
Upvotes: 0
Reputation: 9300
This message complains against scripts (not styles):
Refused to execute inline event handler
And there is no setup for the script-src in your illustrated code snippet.
Arrange allowed types / sources (especially, related to scripts content) to resolve this issue.
Upvotes: 0
Related Questions
- Refused to apply inline style because it violates the following Content Security Policy directive
- Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”
- content security policy for svg with inline style
- Content Security Policy "data" not working for base64 Images in Chrome 28
- Jenkins Content Security Policy
- Refused to load the script because it violates the following Content Security Policy directive
- How does Content Security Policy (CSP) work?
- CSP header fails with "Refused to apply inline style..." but I have already added the hash
- Content Security Policy “Refused to execute inline event handler” error
- Sha hash not respected in CSP style-src