According to the CSP website, When you have a Content-Security-Policy header defined, the browser will automatically block inline scripts
.
However after removing all my other directives just left with Content-Security-Policy: script-src 'self' https: http:
, my inline script is executed without error, why is that?
What I expect is my browser should block any inline javascript to run. Then that is where nonce, hashes and unsafe-inline comes in.
My inline javascript
<script>
function test() {
console.log("inline javascript is executed")
}
test();
</script>
CSP Browser Test (Chrome Version 100.0.4896.127 (Official Build) (x86_64) )
Safari Test Result gives me correct errors but Chrome will run inline scripts without errors
i've put this small PHP file on my local xampp for testing...
first two notations are blocking the alert and the last allows it. Tested on
All browsers create an error message on the console that the inline execution of a script has been blocked because of CSP.
<?php
// no alert
//header("Content-Security-Policy: script-src 'self' http: https:", true);
// no alert
header("Content-Security-Policy: script-src 'self'", true);
// alert
//header("Content-Security-Policy: script-src 'self' 'unsafe-inline'", true);
?><html>
<head><title></title></head>
<body>
<script>alert('test');</script>
</body>
</html>
Troubleshooting ideas: