In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy
and for other browsers like chrome its Content-Security-Policy
The header value looks something like below where nonce
is different for each response.
default-src 'none';
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
object-src 'self';
connect-src 'self';
report-uri /csp/report;
The application is using inline javascript on few pages. So to fix inline-script violation i am adding same nonce
value in script tag.<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
Important thing here is the nonce value needs to match with the nonce value in header. some details here
I implemented middleware & tag-helper which adds nonce into header & script tag respectively. And i made sure that both nonce
values does match when page renders.
Then just for testing purpose on a page i added script without nonce
<script type="text/javascript">
$(function () {
alert('i am hacker');
})
</script>
Google chrome detects this violation and blocks the above script as expected. However in IE 11 above script gets executed without any violation. Again, I made sure the header in IE is X-Content-Security-Policy
Why IE 11 is not blocking script?
IE 11 doesn’t support use of the nonce
attribute and nonce-
source value at all.
The only CSP directive IE11 supports is the sandbox
directive. It ignores all other CSP directives.
So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone'
part from your X-Content-Security-Policy
header and IE11 will still allow inline scripts.
IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox
header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts
, but that will allow all scripts, including inline scripts.
So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.
Also note: IE11 was released in 2013, long before the nonce
attribute was specified anywhere. I think the first CSP draft spec that the nonce
attribute was specified in was some time in 2014.
http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:
Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the
X-Content-Security-Policy
header.
The nonce
attribute is a CSP2 feature. See http://caniuse.com/#feat=contentsecuritypolicy2
Support for nonce
and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce
or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.
来源:https://stackoverflow.com/questions/42937146/content-security-policy-does-not-work-in-internet-explorer-11