Why Inline Javascript is executed without error when Content-Security-Policy header is defined but not inline-script directive
According to the CSP website, When you have a Content-Security-Policy header defined, the browser will automatically block inline scripts.
However after removing all my other directives just left with Content-Security-Policy: script-src 'self' https: http:, my inline script is executed without error, why is that?
What I expect is my browser should block any inline javascript to run. Then that is where nonce, hashes and unsafe-inline comes in.
My inline javascript
<script>
function test() {
console.log("inline javascript is executed")
}
test();
</script>
CSP Browser Test (Chrome Version 100.0.4896.127 (Official Build) (x86_64) )
Safari Test Result gives me correct errors but Chrome will run inline scripts without errors
i've put this small PHP file on my local xampp for testing...
first two notations are blocking the alert and the last allows it. Tested on
- Chrome v103.0.5060.114 x64
- Edge 103.0.1264.49 x64
- Firefox 102.0.1 x64.
All browsers create an error message on the console that the inline execution of a script has been blocked because of CSP.
<?php
// no alert
//header("Content-Security-Policy: script-src 'self' http: https:", true);
// no alert
header("Content-Security-Policy: script-src 'self'", true);
// alert
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'", true);
?><html>
<head><title></title></head>
<body>
<script>alert('test');</script>
</body>
</html>
Troubleshooting ideas:
- Check the console if there CSP header is recognized or if there are unprintable chars or other syntax errors
- Are there browser addons that are modifying incoming headers
- Is there a security software running that is modifying incoming headers
- Is a proxy server blocking the headers
- Chunk downloading of the big files right to the hard drive
- My custom CSS transition animation is not working on hover after I added AOS JS library
- how to get the Google analytics client ID
- Toggle vue-multiselect close/open on button click
- Best way to filter an objects's properties for data
- Passing function with arguments as a prop and invoking it internally in React
- Outlook calendar don't render with FullCalendar
- Is there a way to validate and allow only https url's using .isUri i.e. without using Regex in JavaScript?
- How to clear react native webview cookies?
- Skipping a test in Cypress conditionally
- How can I get all the HTML in a document or node containing shadowRoot elements
- Typescript: No index signature with a parameter of type 'string' was found on type '{ "A": string; }
- Retain Twitter Bootstrap Collapse state on Page refresh/Navigation
- How to get "Results per Row" (from a 'clicked entry' off a "dropdown menu") to show up correctly?
- Is there is a C# function which is similar to .Map() in JavaScript?
- How to trigger SVG render same as manual DOM edit in Chrome using JS?
- How do I test a Node.JS Script that is not a module and runs as soon as it's called?
- Set element width based on a string that is not in the element
- Testing JavaScript Written for the Browser in Node JS
- Where are the trailing commas coming from in these radio buttons?
- How to verify a signature from the Phantom wallet?
- How to get the value of a Google Chrome flag using Javascript
- event.preventDefault cannot block clipboard paste in chatgpt.com prompt box
- Should I use ref or findDOMNode to get react root dom node of an element?
- Disable button for 5 seconds with different label and change after it
- JavaScript - Get all but last item in array
- React-Redux: Should all component states be kept in Redux Store
- Is it possible to use Closure Compiler ADVANCED_OPTIMIZATIONS with jQuery?
- Capture selected option returns not defined instead
- Uncaught TypeError: matchExpr[type].exec is not a function