so implemented csp web app , works fine in chrome. inline scripts nonce executed; , ones without not executed.
in safari however, message see in console:
the source list content security policy directive 'script-src' contains invalid source: ''nonce-fbe23fb21d40c38e8df7c0a16357dd3ec4be86ca233cb41206ac5f897cf9a103''. ignored.
header:
content-security-policy script-src 'nonce-cb28e5c8a2b833169bb8d1fa686f659fed9b3bf8ea52b86916bcaf20a04b3209' 'self' none of inline scripts executed , ones nonce.
safari not yet support nonces (please bug local webkit representative support this) firefox , chrome have implemented standard behavior backwards compatible. namely, if nonce present 'unsafe-inline' ignored.
send both 'unsafe-inline' , nonce , desired behavior. safari complain "unknown source value" work intended.
Comments
Post a Comment