unsafe-inlineSource List Keyword
unsafe-inlineContent Security Policy (CSP) keyword allows the execution of inline scripts or styles.
Except for one very specific case, you should avoid using the
unsafe-inline keyword in your CSP policy. As you might guess it is generally unsafe to use
unsafe-inline keyword annuls most of the security benefits that
Let's imagine that you have an app that simply output's a name from the query string variable
When you hit the URL:
/app?name=Pete, the response is
Hello Pete. This clearly is an open window for a reflected cross site scripting attack. The attacker can simply inject a script tag:
When someone requests that URL the
bad-stuff.js will execute.
We can prevent our app from loading JS from
bad-guy.example.com using CSP. If we have the following policy:
<script> doSomething(); <script>
That inline script will also be blocked by CSP by default. There are ways to allow it, such as
hash. But the sledge hammer way to allow it would be to add
unsafe-inline to your policy. Suppose we added it to our policy:
script-src: 'self' 'unsafe-inline'
Now, go back to our vulnerable example app and try this:
We have reopened our XSS hole that was patched by adding CSP.
Note: We are using
unsafe-inlineadds. In case you ever wondered why everyone is so concerned about the
Finally make sure you also patch your XSS vulnerabilities in your app code by properly encoding variables before outputting them.
Besides just allowing inline
<button onClick="doSomething();">Do It</button>
unsafe-hashes than it is to use
It is only ok to use
unsafe-inline when it is combined with the
strict-dynamic directive. On browsers that support
strict-dynamic (CSP Level 3+), the
unsafe-inline is ignored, and provides a route to backwards compatibility on browsers that support CSP Level 2 or lower.
In other words, you should only use it if you really know what you are doing!
The most common reason that unsafe inline is not working is that you forgot to wrap it with single quotes. It should be specified as:
unsafe-inline source list keyword has been part of the Content Security Policy Specification since the first version of it (CSP Level 1).
Internet Explorer 11 and below do not support the
unsafe-inline directive. This means that IE11 will simply ignore the policy and allows the execution of script or css as if no policy existed.