Open rvaneijk opened 5 years ago
Hi!
Nonces are not related to SRI though. Nonces are for whitelisting inline JS when you really really have to, as a way to avoid using unsafe-inline (but of course it's best not to use inline JS at all). See for example https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#Unsafe_inline_script
Maybe you meant to use SRI there? I see SRI is correctly implemented on all the other script/style elements, so it's a bit misleading that the results say "Subresource Integrity (SRI) not implemented, but all external resources are loaded over HTTPS" - I'll try to do something about that.
Might even be better to suggest hashes over nonces, since hashes actually validate the contents of the resource.
Hi,
The current report on SRI does not check for nonce, but flags non-SRI if no hash is implemented.
For example, <script 'nonce-d3gxy7nm8y4yjr' src="https://d3gxy7nm8y4yjr.cloudfront.net/js/embed.js" type="text/javascript"> is flagged as 'Subresource Integrity (SRI) not implemented,'
I ran the report on the URI https://www.natuurlijkehaarkleuring.nl/afspraak/
Proposed resulution: check for nonce-script tags when running the SRI reporter.