csp-builder
csp-builder copied to clipboard
"support older browsers" nonce fix
Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.
Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.
Are these versions of iOS Safari still supported?
(I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.)
Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10.
A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS.
I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6....
(Edit: more like iOS 1 or 2....)
Looked it up. iOS 9 was introduced in September 2015
Okay, I did some testing with an inline not-nonced Style, and Script, tag. So...
CSP script-src has a nonce set, AND 'unsafe-inline' set to true.
CSP style-src has a nonce set, AND 'unsafe-inline' set to true.
"Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:
-
Firefox 59: PASS
-
Firefox 56: PASS
-
Chrome 66: PASS
-
Edge: PASS
-
Safari 11.1 on Mac (current): PASS
-
Safari on iOS 11 (current): PASS
-
Safari on iOS 10: PASS
-
Safari on iOS 9: FAIL
-
Internet Explorer 11: FAIL
Results:
- If your CSP sets default-src to 'none', but style-src or script-src to a nonce, old browsers will fail to run those scripts or styles, because they don't understand nonces and fall back to the default 'none'.
- If a browser that does understand CSP nonces has a nonce set AND unsafe-inline set, it ignores the unsafe-inline. (Note: In csp-builder you have to set the unsafe-inline before you set the nonce!) THEREFORE:
- To properly support older browsers, when setting nonces you also have to set unsafe-inline.
Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the unsafe-inline
directive be included if a nonce
is set and supportOldBrowsers
is true?