Open strider72 opened 6 years ago
Are these versions of iOS Safari still supported?
(I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.)
Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10.
A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS.
I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6....
(Edit: more like iOS 1 or 2....)
Looked it up. iOS 9 was introduced in September 2015
Okay, I did some testing with an inline not-nonced Style, and Script, tag. So...
CSP script-src has a nonce set, AND 'unsafe-inline' set to true.
CSP style-src has a nonce set, AND 'unsafe-inline' set to true.
"Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:
Firefox 59: PASS
Firefox 56: PASS
Chrome 66: PASS
Edge: PASS
Safari 11.1 on Mac (current): PASS
Safari on iOS 11 (current): PASS
Safari on iOS 10: PASS
Safari on iOS 9: FAIL
Internet Explorer 11: FAIL
Results:
Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the unsafe-inline
directive be included if a nonce
is set and supportOldBrowsers
is true?
Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.
Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.