Add `unsafe-inline` to CSP `script-src` when using nonces/hashes

[aradalvand]

Describe the problem

One of the recommendations by https://csp-evaluator.withgoogle.com regarding script-src is the following:

Consider adding 'unsafe-inline' (ignored by browsers supporting nonces/hashes) to be backward compatible with older browsers.

Describe the proposed solution

Add unsafe-inline after none-* to the script-src option by default, or provide a way for users to do it.

Alternatives considered

I tried adding it myself with this configuration:

const config = {
  kit: {
    csp: {
      directives: {
        'script-src': ['unsafe-inline']
      },
    }
  }
};

But this replaces the whole thing, and removes the nonce-*, so the resulting CSP would just be:

script-src 'unsafe-inline'

Importance

nice to have

Additional Information

No response

[dummdidumm]

Do we know what "older browsers" is specifically? If it's IE11 which we don't support anyway we might as well skip this.

Also not sure if this should be given the enhancement or bug label depending on how we see that, so I gave it both.

[aradalvand]

Do we know what "older browsers" is specifically? If it's IE11 which we don't support anyway we might as well skip this.

@dummdidumm I think we do, nonces and hashes were added in CSP Level 2, so any browser that doesn't support CSP 2 or onwards would be what "older browsers" refers to here — see caniuse.com/contentsecuritypolicy2

As you can see in the caniuse chart, it's not just IE11, but also Safari < 3.1, Chrome < 39, Edge < 18, and Firefox < 30, most notably.

[Conduitry]

I'm doubting we want to support several-year-old versions of browsers that update themselves by default, either.