'strict-dynamic'
…makes CSP deployments easier. This demo page will show you why and how.
Content-Security-Policy:
script-src 'strict-dynamic' 'nonce-XCOesYkuMRsxSjrnk7xnlA=='; object-src 'none'; base-uri 'none'
script-src
values'strict-dynamic'
document.createElement('script');
or similar (CSP3 and above)'nonce-XCOesYkuMRsxSjrnk7xnlA=='
nonce="XCOesYkuMRsxSjrnk7xnlA=="
can be fetched and executed (CSP2 and above)'unsafe-inline'
http:
https:
object-src
values'none'
base-uri
values'none'
base
tags, which can be used to set the base URL for relative script URLs to an evil domain<script nonce="XCOesYkuMRsxSjrnk7xnlA==" src="color.js">
document.createElement('script');
because of strict-dynamicCSP Level 2 & Level 1 backward compatibility disabled, enable
'strict-dynamic'
doesn't allow executed script to load more scripts via "HTML-parser-inserted" script elements (regular <script>
tags). That means that the following script or similar will not work. (Try it anyway)
<script nonce="XCOesYkuMRsxSjrnk7xnlA==">
document.write('<script src="https://code.jquery.com/jquery-3.7.1.min.js" async defer><\/script>');
</script>
Nonce needs to be a Base64-value, otherwise browsers will ignore it. Try non-Base64-value and check console.
Check also general host-based CSP demo page and reporting demo app.