I suspect there’s no other solution than to rewrite the parts of Modernizr that use inline code or dynamically evaluated code (which applies to both JS and CSS). The experiences of AngularJS ngCsp might be useful here.
Content Security Policy (CSP) is a mechanism to help prevent Cross-Site Scripting (XSS) and is best handled at server side; please note it can be handled at client side as well, making use of the <meta> tag element of your HTML. When configured and enabled, a web server will return the appropriate Content-Security-Policy in the … Read more
You can’t. CSP is there to restrict content on your website, not to loosen browser restrictions. Secure https sites given users certain guarantees and it’s not really fair to then allow http content to be loaded over it (hence the mixed content warnings) and really not fair if you could hide these warnings without your … Read more
The frame-ancestors value acts on the source of the iframe not the document framing it. Setting CSP on your page will have no effect on the framing. Think of frame-ancestors like X-Frame-Options on steroids: it restricts what is allowed to frame the content. Gist intentionally does not allow directly framing gists but instead provides a … Read more
I wrestled with this issue for the past 12 hours and finally got it to work. Why did it take so long? Because I got thrown off the trail multiple times. First, the false leads: “Make it HTTPS” — Doesn’t matter. My Chrome extension now makes regular HTTP calls to a different domain and works … Read more
What’s described in the question is actually expected behavior — required per the HTML spec: https://html.spec.whatwg.org/multipage/#nonce-attributes:attr-nonce Elements that have a nonce content attribute ensure that the crytographic nonce is only exposed to script (and not to side-channels like CSS attribute selectors) by extracting the value from the content attribute, moving it into an internal slot … Read more
Because eval is literally unsafe. Eval in every language means “take this string and execute it code.” Sure, you may be using eval in a semi-safe way, but as long as you allow it at all, you are saying “anyone is allowed to execute arbitrary code in my application given an entry point”. 2022 edit: … Read more
Update: Jan 2017: Stop using child-src and begin using frame-src again. In an effort to create even more confusion, CSP Level 3 has undeprecated frame-src and actually re-appointed it as the preferred way to achieve this. While child-src is still supported frame-src is once again preferred. Old post frame-src is deprecated, but it was only … Read more
The correct answer to my question was given as an answer to another, similar question. It refers to the CSP specification which clearly states, that the policy only affects resources which create a new “execution context”. This means, it is not necessary to add the CSP to REST API responses which are not meant to … Read more