Chrome data-URI; CSP-violation although nonce- and sha256- are set
I have a complete html-page with inline js, inline-css and base46 encoded images, that I load as a base64 encoded data URI
The Chrome console states, I have a CSP violation, athough I have used all(?) possible mitigations:
- I use the meta-tag option to set less strict CSP rules
- I have implemented the nonce- mitigation
- I also have implemented the sha256- hash mitigation Nevertheless: Chrome states, that I have CSP violations. Everything runs fine in Firefox, but Chromium based browsers don't work.
<!doctype html> <html lang="en"> <head><meta http-equiv="Content-Security-Policy" content="script-src * 'sha256-Rg49/Z/r5MViuVxsD4nXhpLpVMHbCB8N+Z0shdtNaHE=' 'sha256-OAIlw5RTg+TQhqHqIyHzfBfsq521OfIy5WK4hMd4F8c=' 'sha256-TPPz6zUeSHBWLcT8iTaj5ZhZC8qH8Szzx8qbeik9ca0=' 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; script-src-elem * 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; "> <meta charset="utf-8">
Inline-script tags (three of them - all start like this):
The page is not being served by a webserver, so there is no http-header with CSP declarations in place/involved. Still I get those errors: console errors with CS declarations What am I missing?
The most likely explanation is that you have inline event handlers (attributes) such as onclick, onload etc. You will need to refactor them as described here https://csp.withgoogle.com/docs/adopting-csp.html. You could use 'unsafe-hashes' for CSP level 3, https://content-security-policy.com/unsafe-hashes/, but there are still a lot of level 2 browsers around and you really don't want any 'unsafe'.