Modernizr Causes Content Security Policy (CSP) Violation Errors

Question

I am attempting to use the new Content Security Policy (CSP) HTTP headers on a test site. When I use CSP in conjunction with Modernizr I get CSP violation e

Answer 1

I found a fix without having to use unsafe-inline.

You can modify the unminimized Modernizr at one line:

fakeBody = body || document.createElement('body');

convert to

fakeBody = document.createElement('body');

works on IE9, Firefox, and Chrome.

Answer 2

I suspect there's no other solution than to rewrite the parts of Modernizr that use inline code or dynamically evaluated code (which applies to both JS and CSS). The experiences of AngularJS ngCsp might be useful here.