CSP policy is wrong when whitespace is missing before 'self'

Question

CSP policy is wrong when whitespace is missing before 'self'

danielcl opened this issue 5 years ago · 0 comments

I just realized that you need to write the policy like this in order for the nonce to work:

policy: {
		"default-src": "'self'",
		"img-src": "'self'",
		"style-src": " 'self' 'unsafe-inline'",
		"script-src": " 'self' 'unsafe-eval'"
	},

Important are the whitespaces before 'self'. If there are no whitespaces it will generate a wrong csp policy and Chrome for example shows a warning like this:

The source list for Content Security Policy directive 'script-src' contains an invalid source: ''nonce-157452790003100'unsafe-eval''. It will be ignored.