Content Security Policy does not work in Internet Explorer 11

LP13 picture LP13 · Mar 21, 2017 · Viewed 14.1k times · Source

In my asp.net core application for each response i'm adding content security policy header. I understand that for IE, the header name is X-Content-Security-Policy and for other browsers like chrome its Content-Security-Policy

The header value looks something like below where nonce is different for each response.

default-src 'none';   
script-src 'self' 'nonce-somerandomvalue-differnt-foreach-reasone' 'unsafe-eval';  
style-src 'self' 'unsafe-inline';   
img-src 'self' data:;   
font-src 'self';    
object-src 'self';   
connect-src 'self';   
report-uri /csp/report;   

The application is using inline javascript on few pages. So to fix inline-script violation i am adding same nonce value in script tag.
<script type="text/javascript" nonce="somerandomvalue-differnt-foreach-reasone">
Important thing here is the nonce value needs to match with the nonce value in header. some details here

I implemented middleware & tag-helper which adds nonce into header & script tag respectively. And i made sure that both nonce values does match when page renders.

Then just for testing purpose on a page i added script without nonce

<script type="text/javascript">
    $(function () {
        alert('i am hacker');
    })
</script>

Google chrome detects this violation and blocks the above script as expected. However in IE 11 above script gets executed without any violation. Again, I made sure the header in IE is X-Content-Security-Policy

Why IE 11 is not blocking script?

Answer

sideshowbarker picture sideshowbarker · Mar 22, 2017

IE 11 doesn’t support use of the nonce attribute and nonce- source value at all.

The only CSP directive IE11 supports is the sandbox directive. It ignores all other CSP directives.

So you could just completely drop the 'nonce-somerandomvalue-differnt-foreach-reasone' part from your X-Content-Security-Policy header and IE11 will still allow inline scripts.

IE11 will allow inline scripts no matter what you do, unless you have your server send the response with a X-Content-Security-Policy: sandbox header, in which case it will disallow all scripts. And the only way to relax that is to send X-Content-Security-Policy: sandbox allow-scripts, but that will allow all scripts, including inline scripts.

So I think that with IE11 there’s no way to tell it to disallow just inline scripts. You can only tell IE11 to either allow all scripts, or to allow none.


Also note: IE11 was released in 2013, long before the nonce attribute was specified anywhere. I think the first CSP draft spec that the nonce attribute was specified in was some time in 2014.

http://caniuse.com/#feat=contentsecuritypolicy has details on browser support for CSP1 directives:

Partial support in Internet Explorer 10-11 refers to the browser only supporting the 'sandbox' directive by using the X-Content-Security-Policy header.

The nonce attribute is a CSP2 feature. See http://caniuse.com/#feat=contentsecuritypolicy2

Support for nonce and other CSP2 features was added in Edge 15. So Edge 14 and earlier have no support for nonce or other new-in-CSP2 features. But Edge12+ has full support for all of CSP1.