Content security policy does not work in Internet Explorer 11
In my main asp.net application, for each response, I add a Content Security Policy header. I understand that for IE the title name
and for other browsers like chrome its
The header value looks something like the one below, where it
differs for each response.
default-src 'none'; script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:; font-src 'self'; object-src 'self'; connect-src 'self'; report-uri /csp/report;
to the script tag.
The important value here is the nonce value, which must match the nonce value in the header. some details here
I have implemented a middleware and a helper tag that adds a nonce to the header and script tag respectively. And I made sure both values
match when the page is rendered.
Then, to test the target on the page, I added a script without a nonce
Google chrome detects this violation and blocks the above script as expected. However, in IE 11, the above script is executed without any disruption. Again, I made sure the title in IE
Why is IE 11 not blocking the script?
source to share
IE 11 doesn't support attribute
original value at all.
The only IE11 directive that supports CSP is the
. It ignores all other CSP directives.
So, you can just drop the portion
of your header
entirely and IE11 will still allow inline scripts.
IE11 will allow inline scripts no matter what you do, unless the server sends a response with a header
, in which case it will disable all scripts. And the only way to relax is to send
X-Content-Security-Policy: sandbox allow-scripts
, but this will allow all scripts to be used, including inline scripts.
So I think as of IE11 there is no way to say to disallow only inline scripts. You can only allow IE11 to either allow all scripts or not.
Also note: IE11 was released in 2013 long before the attribute
was specified anywhere. I think the first CSP project specification that was specified in the attribute
was for some time in 2014.
Partial support in Internet Explorer 10-11 refers to a browser that only supports the sandboxing directive using the header
other CSP2 features was added in Edge 15 . Thus, Edge 14 and earlier do not support
or other new-in-CSP2 features. But Edge12 + has full support for all CSP1 .
source to share