Lednerb
commented
5 years ago TL;DR: I would prefer the strict way and break the old legacy browsers for a score of 100.
Can I Use Stats: https://caniuse.com/#feat=contentsecuritypolicy https://caniuse.com/#feat=contentsecuritypolicy2
From the linked statistics it seems that only the IE11, UC Browser for Android, and Opera Mini don't respect these settings.
These browsers are insecure by default; no one should use them anyway.
IMHO it's not a good idea for a security scanner to mark usages of unsafe-* directives not as unsafe.
Rather drop the score and have some users that wonder why the unsafe- directives don't reach the top score (also in the fallback use case) than making the scan results ridiculous.
What do @mniemietz @ic0ns and @Skeeve think about it?
Skeeve
SniperSister
Hi all,
I checked the new SIWECOS site with the scanner today and got a degraded score from the header scanner because of having "unsafe-inline" as part of the style-src property.
Unsafe-Inline however is only in there for legacy browser support, modern browsers will detect the sha256 hash that the site provides and ignore unsafe-inline or unsafe-eval.
The combination of unsafe-inline (used as fallback) and hash/nonce is the only way of using inline scripts or styles with CSP and having a wide range of browsers supported. I'm aware that such a combination still leaves a tiny loophole, but considering the very low market share of these legacy browser I would like to raise a discussion if this setup isn't "secure enough" to deserve a 100 score.