Content Security Policy does not work in Internet Explorer 11

拥有回忆 提交于 2019-12-05 08:30:14

IE 11 doesn’t support use of the nonce attribute and nonce- source value at all.

The only CSP directive IE11 supports is the sandbox directive. It ignores all other CSP directives.

So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone' part from your X-Content-Security-Policy header and IE11 will still allow inline scripts.

IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts, but that will allow all scripts, including inline scripts.

So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.


Also note: IE11 was released in 2013, long before the nonce attribute was specified anywhere. I think the first CSP draft spec that the nonce attribute was specified in was some time in 2014.

http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:

Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the X-Content-Security-Policy header.

The nonce attribute is a CSP2 feature. See http://caniuse.com/#feat=contentsecuritypolicy2

Support for nonce and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!