'Style CSP violation inside script

I have a JS external library script in my web application (physically located on my server). The script violates CSP. Having CSP header set to script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' allows it to run.

I'd like to abandon 'unsafe-inline' 'unsafe-eval' and specify explicitly only that script to be allowed to run desipte violating CSP.

I tired using: script-src 'self' 'nonce-12345'; style-src 'self' 'nonce-12345' and the script is imported: <script src="/Content/libs/xxx/xxx.js?v=637775866579115407" nonce="12345"></script> But the script still gets bloked:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' 'nonce-12345'". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution. So the script itself run, but fails because of the style violation. If I add 'sha256-47...' to the style-src header it works. Why does it gets blocked despite having nonce set? Is there any way of letting it pass without specifying sha256 hash?enter image description here

content-security-policy


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions

Jenkins Content Security Policy

content-security-policy doesn't work; I want to have my website load in an iFrame on ONE other website only

Adding nonce value to @Scripts.Render ASP.Net MVC razor pages with NWebSec

Iframe in Chrome error: Failed to read 'localStorage' from 'Window': Access denied for this document

How do I allow the Geolocation API inside an iframe?

Content Security Policy directive: "default-src 'self'". Note that 'frame-src' was not explicitly set, so 'default-src' is used as a fallback

Why won't my content security policy deploy to CloudFront?

Script causes “Refused to execute inline script: Either the 'unsafe-inline' keyword, a hash… or a nonce is required to enable inline execution”

Why can't Mozilla observatory detect the http security headers on my website anymore?

Angular build generates index.html with <style> tag

Content Security Policy violation with Bootstrap 5

How to have Cypress go through every page on site to see if there are any console errors and if so, make it known to the user running the test

Angular application throwing "inline style..." error due to CSP response header configured on server

Chrome Extension: Refused to load the script, because it violates the following Content Security Policy directive: "script-src 'self'"

Unable to use dynamic svg url in github Readme.md