0
votes

I get an intermittent error when loading a page with a CSP Firefox: "Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”). Source: ..."

Chrome "The source list for the Content Security Policy directive 'script-src' contains an invalid source: ''nonce-YVV3G@Kk3ex7GMz53NWHlwAAADs''. It will be ignored. list:1 Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' 'nonce-YVV3G@Kk3ex7GMz53NWHlwAAADs' 'report-sample' ...". Either the 'unsafe-inline' keyword, a hash ('sha256-bcuD/K2TDYJ65gRxOp1yB9QFYhNqCOvbD35Sa/Pn/es='), or a nonce ('nonce-...') is required to enable inline execution."

I am using nonces. I do not think I have anything inline which is not under a nonce. Apache config:

<IfModule mod_headers.c>
Header set Content-Security-Policy "report-to '...'; " 
Header set Content-Security-Policy "report-uri '...'; " 

Header set Content-Security-Policy "default-src 'self'; "
Header set Content-Security-Policy "base-uri 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "object-src 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "connect-src 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "worker-src 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "child-src 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "frame-src 'self' 'nonce-%{UNIQUE_ID}e'; "
Header set Content-Security-Policy "form-action 'self' 'nonce-%{UNIQUE_ID}e'; " 
Header set Content-Security-Policy "manifest-src 'self' 'nonce-%{UNIQUE_ID}e'; " 
Header set Content-Security-Policy "media-src 'self' 'nonce-%{UNIQUE_ID}e'; "

Header set Referrer-Policy "no-referrer " 
Header set Content-Security-Policy "style-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample' ...; " 
Header set Content-Security-Policy "img-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample' ... ; " 
Header set Content-Security-Policy "font-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample' ...; "
Header set Content-Security-Policy "script-src 'self' 'nonce-%{UNIQUE_ID}e' 'report-sample' ...;" 

Header set Strict-Transport-Security "max-age=31536000; includeSubDomains "
Header edit Set-Cookie ^(.*)$ "$1;Secure;SameSite=Strict"
Header always set Content-Security-Policy "upgrade-insecure-requests; "
Header always set Content-Security-Policy "frame-ancestors 'self'; "
Header always set Content-Security-Policy "form-action 'self'; "
Header set X-Content-Type-Options nosniff
Header set X-XSS-Protection "0 "
</IfModule>

and in the page:

<script type="text/javascript" nonce="'.$_SERVER['UNIQUE_ID'].'">

which results into

<script type="text/javascript" nonce="YVV3G@Kk3ex7GMz53NWHlwAAADs">

Thank you

1

1 Answers

1
votes

$_SERVER['UNIQUE_ID'] is not suitable for nonce:

  1. it does not generate cryptographically secure values.

  2. the value generated can contain the @ character invalid for 'nonce-value' - that's why error has intermittent behaviour.

Instead of UNIQUE_ID do use mod_cspnonce for Apache 2.