Content security policy does not work in Internet Explorer 11
In my main asp.net application, for each response, I add a Content Security Policy header. I understand that for IE the title name X-Content-Security-Policy
and for other browsers like chrome itsContent-Security-Policy
The header value looks something like the one below, where it nonce
differs for each response.
default-src 'none';
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';
style-src 'self' 'unsafe-inline';
img-src 'self' data:;
font-src 'self';
object-src 'self';
connect-src 'self';
report-uri /csp/report;
The app uses inline javascript across multiple pages. So to fix the inline-script violation, I add the same value nonce
to the script tag. <script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
The important value here is the nonce value, which must match the nonce value in the header. some details here
I have implemented a middleware and a helper tag that adds a nonce to the header and script tag respectively. And I made sure both values nonce
match when the page is rendered.
Then, to test the target on the page, I added a script without a nonce
<script type="text/javascript">
$(function () {
alert('i am hacker');
})
</script>
Google chrome detects this violation and blocks the above script as expected. However, in IE 11, the above script is executed without any disruption. Again, I made sure the title in IEX-Content-Security-Policy
Why is IE 11 not blocking the script?
source to share
IE 11 doesn't support attribute nonce
and nonce-
original value at all.
The only IE11 directive that supports CSP is thesandbox
. It ignores all other CSP directives.
So, you can just drop the portion 'nonce-somerandomvalue-differnt-foreach-reasone'
of your header X-Content-Security-Policy
entirely and IE11 will still allow inline scripts.
IE11 will allow inline scripts no matter what you do, unless the server sends a response with a header X-Content-Security-Policy: sandbox
, in which case it will disable all scripts. And the only way to relax is to send X-Content-Security-Policy: sandbox allow-scripts
, but this will allow all scripts to be used, including inline scripts.
So I think as of IE11 there is no way to say to disallow only inline scripts. You can only allow IE11 to either allow all scripts or not.
Also note: IE11 was released in 2013 long before the attribute nonce
was specified anywhere. I think the first CSP project specification that was specified in the attribute nonce
was for some time in 2014.
http://caniuse.com/#feat=contentsecuritypolicy contains information about browser support for the CSP1 directive :
Partial support in Internet Explorer 10-11 refers to a browser that only supports the sandboxing directive using the header
X-Content-Security-Policy
.
Attribute nonce
function CSP2 . See http://caniuse.com/#feat=contentsecuritypolicy2
Support for nonce
other CSP2 features was added in Edge 15 . Thus, Edge 14 and earlier do not support nonce
or other new-in-CSP2 features. But Edge12 + has full support for all CSP1 .
source to share