CSP does not recognize nonces in non-inline scripts

Confirmed Issue #13246371 • Assigned to wwatri

Details

Author
Kagami R.
Created
Aug 14, 2017
Privacy
This issue is public.
Found in
  • Microsoft Edge
Found in build #
16.16257
Reports
Reported by 1 person

Sign in to watch or report this issue.

Steps to reproduce

  1. Access https://bugs.chromium.org/p/chromium/issues/detail?id=739483

Expected: No warnings on console

Actual:

HTML1300: Navigation occurred.
detail

CSP14304: Unknown source ''strict-dynamic'' for directive 'script-src' in Content-Security-Policy - source will be ignored.

CSP14317: Ignoring 'unsafe-inline' for directive 'script-src' in Content-Security-Policy because nonce or hash value is specified.

CSP14321: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: inline script, in https://bugs.chromium.org/p/chromium/issues/detail?id=739483 at line 0 column 0. Resource will be blocked.

SEC7115: :visited and :link styles can only differ by color. Some styles were not applied to :visited.
detail

CSP14312: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: https://storage.googleapis.com/crdx-feedback.appspot.com/feedback.js. Resource will be blocked.

CSP14312: Resource violated directive 'script-src 'unsafe-inline' 'strict-dynamic' https://www.gstatic.com/recaptcha/api2/ 'self' 'nonce-yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ'' in Content-Security-Policy: https://www.google-analytics.com/analytics.js. Resource will be blocked.

If you inspect elements you can see that the scripts (that are dynamically added to head) has correct nonces.

<script src="//www.google-analytics.com/analytics.js" async="" nonce="yJVYZYeMGbFcRfuA0KBWyyPFnKeriKQQ"></script>

Attachments

0 attachments

    Comments and activity

    • Microsoft Edge Team

      Changed Assigned To to “wwatri”

      Changed Assigned To from “wwatri” to “Paul W.”

      Changed Status to “Confirmed”

      Changed Assigned To from “Paul W.” to “wwatri”

      Changed Title from “Unexpected CSP errors on Chromium bug tracker” to “CSP does not recognize nonces in non-inline scripts”

    You need to sign in to your Microsoft account to add a comment.

    Sign in