Chrome data-URI; CSP-violation although nonce- and sha256- are set

I have a complete html-page with inline js, inline-css and base46 encoded images, that I load as a base64 encoded data URI

data:text/html;base64, .....

The Chrome console states, I have a CSP violation, athough I have used all(?) possible mitigations:

  • I use the meta-tag option to set less strict CSP rules
  • I have implemented the nonce- mitigation
  • I also have implemented the sha256- hash mitigation Nevertheless: Chrome states, that I have CSP violations. Everything runs fine in Firefox, but Chromium based browsers don't work.

html:

        <!doctype html>
    <html lang="en">
    <head><meta http-equiv="Content-Security-Policy" content="script-src *  'sha256-Rg49/Z/r5MViuVxsD4nXhpLpVMHbCB8N+Z0shdtNaHE=' 'sha256-OAIlw5RTg+TQhqHqIyHzfBfsq521OfIy5WK4hMd4F8c=' 'sha256-TPPz6zUeSHBWLcT8iTaj5ZhZC8qH8Szzx8qbeik9ca0=' 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; script-src-elem * 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; ">
      <meta charset="utf-8">

Inline-script tags (three of them - all start like this):

<script nonce="ChuckLovesYouChrome"

The page is not being served by a webserver, so there is no http-header with CSP declarations in place/involved. Still I get those errors: console errors with CS declarations What am I missing?

1 answer

How many English words
do you know?
Test your English vocabulary size, and measure
how many words do you know
Online Test
Powered by Examplum