Question to CSP Level 2

Question

Hello,

According to slide 68 of lecture 06, CSP level 2 introduces hashes and nonces for script-src and disables ‘unsafe-inline’ if present. However, in slide 70, the example CSP header is:

Content-Security-Policy: script-src ‘self’ ‘nonce-ABCDEF’ ‘unsafe-inline’

My question is: if ‘unsafe-inline’ is supposed to be disabled by the presence of a nonce, why is it still included in this header? Would an inline script like <script>/* ... */</script> still be allowed in this case?

Also, does the order of the keywords (‘self’ ‘nonce-ABCDEF’ ‘unsafe-inline’) in the script-src matter for how the policy is interpreted?

Thanks in advance for the clarification.

asked May 20, 2025 in General/Lecture/Exam by anonymous

edit history

1 Answer

anonymous · Answer 1 · 2025-05-20T16:07:27+0000

Hi,

'unsafe-inline' is included for backwards compatibility.

Say a browser that only supports CSP Lv1 connects to a site with the given CSP-Policy.

If 'unsafe-inline' was excluded, the site would block all inline-scripts and probably break for this user.

As you have pointed out, the 'nonce-ABCDEF' disables the 'unsafe-inline' for browsers that support CSP Lv2 and above.

The order of the CSP policy for a given fetch source does not matter since all parts are evaluated with an 'or' where there is whitespace, unsupported expressions are ignored. (Like 'nonce-ABCDEF' for a browser that only supports CSP Lv1)

Question to CSP Level 2

Your comment on this question:

Your answer

1 Answer

Your comment on this answer: