"support older browsers" nonce fix

[strider72]

Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.

Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.

[paragonie-scott]

Are these versions of iOS Safari still supported?

(I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.)

[strider72]

Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10.

A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS.

I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6....

(Edit: more like iOS 1 or 2....)

[strider72]

Looked it up. iOS 9 was introduced in September 2015

[strider72]

Okay, I did some testing with an inline not-nonced Style, and Script, tag. So... CSP script-src has a nonce set, AND 'unsafe-inline' set to true.
CSP style-src has a nonce set, AND 'unsafe-inline' set to true.

"Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:

• Firefox 59: PASS

• Firefox 56: PASS

• Chrome 66: PASS

• Edge: PASS

• Safari 11.1 on Mac (current): PASS

• Safari on iOS 11 (current): PASS

• Safari on iOS 10: PASS

• Safari on iOS 9: FAIL

• Internet Explorer 11: FAIL

Results:

1. If your CSP sets default-src to 'none', but style-src or script-src to a nonce, old browsers will fail to run those scripts or styles, because they don't understand nonces and fall back to the default 'none'.
2. If a browser that does understand CSP nonces has a nonce set AND unsafe-inline set, it ignores the unsafe-inline. (Note: In csp-builder you have to set the unsafe-inline before you set the nonce!) THEREFORE:
3. To properly support older browsers, when setting nonces you also have to set unsafe-inline.

[Rendez]

Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the unsafe-inline directive be included if a nonce is set and supportOldBrowsers is true?