Is the Content Security Policy really unsafe with this 'unsafe-inline'

[janwillemstegink]

style-src data: 'self' 'unsafe-inline' shows up unsafe in https://en.internet.nl/site/nicoheimans.nl/2581042/#control-panel-29.

On the other hand a safe A+ score is shown in https://securityheaders.com/?q=nicoheimans.nl&followRedirects=on.

Which analysis is realistic?

[baknu]

'unsafe-inline' is broadly seen as insufficiently secure. The CSP standard itself discommends it. See:

• https://www.w3.org/TR/CSP3/#csp-directives
• https://www.w3.org/TR/CSP3/#security-nonces
• https://www.w3.org/TR/CSP3/#unsafe-hashes-usage

Securityheaders.com only checks whether a Content Security Policy is available but does not evaluate its policy value. However, on the result page it offers a link to https://report-uri.com/home/analyse/https%3A%2F%2Fnicoheimans.nl%2F which also disapproves 'unsafe-inline' and states the following:

❌ 'unsafe-inline' (this value is not recommended)

[janwillemstegink]

Thank for the fast answer.

Scott Helme, securityheaders.com, answers: "Indeed we do for style-src, but it would degrade your score in script-src or default-src. You can find more information in my blog post on our grading criteria here: https://scotthelme.co.uk/a-balanced-approach-new-security-headers-grading-criteria/"

I suppose Internet.nl chooses to strictly follow CSP documentation.

[baknu]

Yes. We believe the risk with scripts is indeed greater than with styles. But still there's a risk with styles. See also:

• https://csplite.com/csp97/ (archived: https://archive.is/uGENL)
• https://csplite.com/csp16/#scriptless_XSS (archived: https://archive.is/KSvaG)
• https://csplite.com/csp88/ (archived: https://archive.ph/kveOZ)
• https://www.youtube-nocookie.com/embed/oJ6t7AImTdE