'strict-dynamic'
…makes CSP deployments easier. This demo page will show you why and how.
Content-Security-Policy:
script-src 'strict-dynamic' 'nonce-u6rB+jrp2phChUWVgcDK6w==' 'unsafe-inline' http: https:; object-src 'none'; base-uri 'none'
script-src
values'strict-dynamic'
document.createElement('script');
or similar (CSP3 and above)'nonce-u6rB+jrp2phChUWVgcDK6w=='
nonce="u6rB+jrp2phChUWVgcDK6w=="
can be fetched and executed (CSP2 and above)'unsafe-inline'
http:
https:
object-src
values'none'
base-uri
values'none'
base
tags, which can be used to set the base URL for relative script URLs to an evil domain<script nonce="u6rB+jrp2phChUWVgcDK6w==" src="color.js">
document.createElement('script');
because of strict-dynamic<script nonce="u6rB+jrp2phChUWVgcDK6w==" src="color.js">
<script src="color.js">
because of https:, nonce was ignoredDisable backward compatibility
'strict-dynamic'
doesn't allow executed script to load more scripts via "HTML-parser-inserted" script elements (regular <script>
tags). That means that the following script or similar will not work. (Try it anyway)
<script nonce="u6rB+jrp2phChUWVgcDK6w==">
document.write('<script src="https://code.jquery.com/jquery-3.7.1.min.js" async defer><\/script>');
</script>
Nonce needs to be a Base64-value, otherwise browsers will ignore it. Try non-Base64-value and check console.
Check also general host-based CSP demo page and reporting demo app.