content-security-policy

Im am trying to keep my CSP policy as strict as possible. I need to include 3d party component in my bundle. But it uses element.setAttribute('style'...) method which breaks CSP. Is there a way to allow this particular script to inline styles in that manner? 2018-10-06 update The original answer here is still correct for now — because with CSP as currently implemented in browsers at least, there’s still no way to have dynamically injected styles at all without specifying unsafe-inline , and specifying unsafe-inline basically negates the whole purpose of CSP. However , CSP3 adds a new unsafe

Has any one been able to make a Chrome extension using GWT and manifest_version 2? I have sandboxed all the GWT generated files also (as suggested here ) but it still does not work. manifest.json { "name": "Hello World!", "description": "My first packaged app.", "manifest_version": 2, "version": "0.1", "app": { "background": { "scripts": ["background.js"] } }, "permissions": ["experimental", "appWindow"], "icons": { "16": "calculator-16.png", "128": "calculator-128.png" } } background.js chrome.experimental.app.onLaunched.addListener(function() { chrome.appWindow.create('LocalWebApp.html', {

Trying to load different contents(can be pdf, swf etc.) in an 'iframe' through javascript in an chrome extension application. The content is loaded using the data URL scheme as : // this javascript is registered in the html file and the LoadFunction is registered inside the DOMContentLoaded event on the click of a button. void LoadFunction() { window.parent.document.getElementById("page_data").src = 'data:application/pdf;base64,' + 'base64 encoded data'; (base64 data is received from a c++ class) } but as soon as above function is called, a content security policy error is raised as : Refused

While implementing the CSP header on my website, I am facing problems with the automatically generated postback JavaScript that webforms adds to the page: <script type="text/javascript"> //<![CDATA[ var theForm = document.forms['form1']; if (!theForm) { theForm = document.form1; } function __doPostBack(eventTarget, eventArgument) { if (!theForm.onsubmit || (theForm.onsubmit() != false)) { theForm.__EVENTTARGET.value = eventTarget; theForm.__EVENTARGUMENT.value = eventArgument; theForm.submit(); } } //]]> </script> To support some other script tags inline I have successfully added the nonce

Using content security policy without style-src 'unsafe-inline' how do you allow styles like this? <span style="font-size: 16px;">Hello</span> I've tried adding a nonce to them and adding that nonce to the CSP header but that doesn't seem to work <span style="font-size: 16px;" nonce="0611873de7e2db5985c289fdfa946caee2ae1860">Hello</span> "style-src 'nonce-0611873de7e2db5985c289fdfa946caee2ae1860' 'self'" Is there any way to do this without adding the 'unsafe-inline' directive?? According to https://bugzilla.mozilla.org/show_bug.cgi?id=855326#c35 nonces for style attributes isn't supported a