script-src
Directive Guidescript-src
Content Security Policy (CSP) directive guards the loading and execution of JavaScript.Assume a Content-Security-Policy
header is set with the following policy:
script-src 'self' https://js.example.com;
With the above CSP policy, the following are allowed to load and execute in the browser:
<!-- allowed by 'self' --> <script src="/js/some-file.js"></script> <!-- allowed by https://js.example.com --> <script src="https://js.example.com/file.js"></script>
The Example Policy above will block the following from loading or executing in the browser:
<script src="https://attacker.example.com/file.js"></script>
Blocked because attacker.example.com
is not in the source list.
<script> runInlineScript(); </script>
Blocked because inline scripts are blocked by default, you have to use hashes or a nonce (CSP Level 2) to allow inline scripts to run.
<button onClick="runInlineScript();"> All JS Event Handlers Blocked </button>
The execution of all JS event handlers from inline HTML markup are blocked default, onclick
, onload
, onmouseover
, onsubmit
, etc. You can get them to work via a 'unsafe-hashes'
source list expression, however that is only supported on CSP Level 3 browsers.
<a href="javascript:runInlineScript();">Won't Run</a>
There is no way to get javascript:
to work when CSP is enabled except for unsafe-inline
.
When the browser blocks execution of your JavaScript due to a Content-Security-Policy
header in place with a script-src
directive you can find the reason in the browser developer tools console. Here are some examples:
This error message means that you had some inline script that was blocked. It could be a script tag, or it could be a JavaScript event handler (such as onclick). You can workaround these kinds of issues by using hashes or a nonce, or by moving the script into a JS file.
This error indicates that you have an inline event handler like onclick
in your code that will be blocked. You might want to look at the documentation for unsafe-hashes keyword as well.
Content-Security-Policy will block JavaScript eval()
calls by default. You can use unsafe-eval
to get around the error, but then you may be opening up more security holes. It is usually better to rewrite the JavaScript to avoid eval.
script-src
The CSP script-src
directive has been part of the Content Security Policy Specification since the first version of it (CSP Level 1). However some features such as hashes and nonces were introduced in CSP Level 2. Support for these features is still very good.
Internet Explorer 11 and below do not support the script-src
directive. This means that IE11 will simply ignore the policy and allow any script to run (as if a policy had not been set at all).
Want to learn the ins and outs CSP? Grab a copy of the CSP Developer Field Guide. It's a short and sweet guide to help developers get up to speed quickly.
Grab a CopyAdvisory Week is a weekly roundup of all the security advisories published by the major software vendors.