CSP does not recognize nonces in non-inline scripts

Confirmed Issue #13246371 • Assigned to Paul W.

Details

Author
Kagami R.
Created
Aug 14, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
16.16257
Reports
Reported by 5 people

Sign in to watch or report this issue.

Steps to reproduce

  1. Access https://bugs.chromium.org/p/chromium/issues/detail?id=739483

Expected: No warnings on console

Actual:

HTML1300: Navigation occurred.
detail

CSP14304: Unknown source ''strict-dynamic'' for directive 'script-src' in Content-Security-Policy - source will be ignored.

CSP14317: Ignoring 'unsafe-inline' for directive 'script-src' in Content-Security-Policy because nonce or hash value is specified.

CSP14321: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: inline script, in https://bugs.chromium.org/p/chromium/issues/detail?id=739483 at line 0 column 0. Resource will be blocked.

SEC7115: :visited and :link styles can only differ by color. Some styles were not applied to :visited.
detail

CSP14312: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: https://storage.googleapis.com/crdx-feedback.appspot.com/feedback.js. Resource will be blocked.

CSP14312: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: https://www.google-analytics.com/analytics.js. Resource will be blocked.

If you inspect elements you can see that the scripts (that are dynamically added to head) has correct nonces.

<script src="//www.google-analytics.com/analytics.js" async="" nonce="yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ"></script>

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “wwatri”

      Changed Assigned To from “wwatri” to “Paul W.”

      Changed Status to “Confirmed”

      Changed Assigned To from “Paul W.” to “wwatri”

      Changed Title from “Unexpected CSP errors on Chromium bug tracker” to “CSP does not recognize nonces in non-inline scripts”

    • We’ve recently hit this issue and after some debugging were pointed to the problem by Artur Janc on Twitter: https://twitter.com/arturjanc/status/929768393003143168

      He has a demo page setup to show the issue: https://arturjanc.com/cgi-bin/edge-nonce.py

      This is problematic and essentially makes CSP nonces useless as most sites have external resources.

    • Microsoft Edge Team

      Changed Assigned To from “wwatri” to “Paul W.”

    • I’m having a problem where the hash for display:none is not recognised

      I’m using
      ‘sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=’

      Is there something wrong with the way i generated the hash or is this the same problem?

      Here are the warning messages from the console

      CSP14317: Ignoring ‘unsafe-inline’ for directive ‘style-src’ in Content-Security-Policy because nonce or hash value is specified.
      CSP14321: Resource violated directive 'style-src ‘self’ ‘unsafe-inline’ https://fonts.googleapis.com ‘sha256-aqNNdDLnnrDOnTNdkJpYlAxKVJtLt9CtFLklmInuUAE=’’ in Content-Security-Policy: inline style, … The resource will be blocked.

    You need to sign in to your Microsoft account to add a comment.

    Sign in