Content security policy does not work in Internet Explorer 11

In my main application, for each response, I add a Content Security Policy header. I understand that for IE the title name X-Content-Security-Policy

and for other browsers like chrome itsContent-Security-Policy

The header value looks something like the one below, where it nonce

differs for each response.

default-src 'none';   
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';  
style-src 'self' 'unsafe-inline';   
img-src 'self' data:;   
font-src 'self';    
object-src 'self';   
connect-src 'self';   
report-uri /csp/report;   


The app uses inline javascript across multiple pages. So to fix the inline-script violation, I add the same value nonce

to the script tag.
<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">

The important value here is the nonce value, which must match the nonce value in the header. some details here

I have implemented a middleware and a helper tag that adds a nonce to the header and script tag respectively. And I made sure both values nonce

match when the page is rendered.

Then, to test the target on the page, I added a script without a nonce

<script type="text/javascript">
    $(function () {
        alert('i am hacker');


Google chrome detects this violation and blocks the above script as expected. However, in IE 11, the above script is executed without any disruption. Again, I made sure the title in IEX-Content-Security-Policy

Why is IE 11 not blocking the script?


source to share

1 answer

IE 11 doesn't support attribute nonce

and nonce-

original value at all.

The only IE11 directive that supports CSP is thesandbox

. It ignores all other CSP directives.

So, you can just drop the portion 'nonce-somerandomvalue-differnt-foreach-reasone'

of your header X-Content-Security-Policy

entirely and IE11 will still allow inline scripts.

IE11 will allow inline scripts no matter what you do, unless the server sends a response with a header X-Content-Security-Policy: sandbox

, in which case it will disable all scripts. And the only way to relax is to send X-Content-Security-Policy: sandbox allow-scripts

, but this will allow all scripts to be used, including inline scripts.

So I think as of IE11 there is no way to say to disallow only inline scripts. You can only allow IE11 to either allow all scripts or not.

Also note: IE11 was released in 2013 long before the attribute nonce

was specified anywhere. I think the first CSP project specification that was specified in the attribute nonce

was for some time in 2014. contains information about browser support for the CSP1 directive :

Partial support in Internet Explorer 10-11 refers to a browser that only supports the sandboxing directive using the header X-Content-Security-Policy


Attribute nonce

function CSP2 . See

Support for nonce

other CSP2 features was added in Edge 15
. Thus, Edge 14 and earlier do not support nonce

or other new-in-CSP2 features. But Edge12 + has full support for all CSP1 .



All Articles