Closed SniperSister closed 5 years ago
TL;DR: I would prefer the strict way and break the old legacy browsers for a score of 100.
Can I Use Stats: https://caniuse.com/#feat=contentsecuritypolicy https://caniuse.com/#feat=contentsecuritypolicy2
From the linked statistics it seems that only the IE11, UC Browser for Android, and Opera Mini don't respect these settings.
These browsers are insecure by default; no one should use them anyway.
IMHO it's not a good idea for a security scanner to mark usages of unsafe-*
directives not as unsafe.
Rather drop the score and have some users that wonder why the unsafe-
directives don't reach the top score (also in the fallback use case) than making the scan results ridiculous.
What do @mniemietz @ic0ns and @Skeeve think about it?
Maybe I don't fully understand, but the statistics seem to imply that the named browsers do not support CSP at all. So whether or not it is there doesn't seem to affect the client. So it's good when the server sends the information. Correct me when I'm wrong. So I'm with you…
The browsers in question do support CSP v1 which doesn't have support for the hash-syntax to whitelist inline styles and scripts.
Okay: Still I follow your arguments.
Only the browsers that support CSP v1 but not CSP v2 are affected to this question, correct? Which browsers are those relevant ones that would use the fallback?
IE is the only relevant in the real world.
As referenced on caniuse.com IE does not use the Content-Security-Policy
header but X-Content-Security-Policy
so there should also be a penalty regarding the score because it uses a legacy header.
Also, IE has a global usage of 2.53% and in Germany 2.92%.
All in all, I will stay with my argument:
I would prefer the strict way and break the old legacy browsers for a score of 100.
ok, fair enough, thanks for sharing your thoughts! :)
Hi all,
I checked the new SIWECOS site with the scanner today and got a degraded score from the header scanner because of having "unsafe-inline" as part of the style-src property.
Unsafe-Inline however is only in there for legacy browser support, modern browsers will detect the sha256 hash that the site provides and ignore unsafe-inline or unsafe-eval.
The combination of unsafe-inline (used as fallback) and hash/nonce is the only way of using inline scripts or styles with CSP and having a wide range of browsers supported. I'm aware that such a combination still leaves a tiny loophole, but considering the very low market share of these legacy browser I would like to raise a discussion if this setup isn't "secure enough" to deserve a 100 score.