Chrome data-URI; CSP-violation although nonce- and sha256- are set

Question

I have a complete html-page with inline js, inline-css and base46 encoded images, that I load as a base64 encoded data URI

data:text/html;base64, .....

The Chrome console states, I have a CSP violation, athough I have used all(?) possible mitigations:

• I use the meta-tag option to set less strict CSP rules
• I have implemented the nonce- mitigation
• I also have implemented the sha256- hash mitigation Nevertheless: Chrome states, that I have CSP violations. Everything runs fine in Firefox, but Chromium based browsers don't work.

html:

        <!doctype html>
    <html lang="en">
    <head><meta http-equiv="Content-Security-Policy" content="script-src *  'sha256-Rg49/Z/r5MViuVxsD4nXhpLpVMHbCB8N+Z0shdtNaHE=' 'sha256-OAIlw5RTg+TQhqHqIyHzfBfsq521OfIy5WK4hMd4F8c=' 'sha256-TPPz6zUeSHBWLcT8iTaj5ZhZC8qH8Szzx8qbeik9ca0=' 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; script-src-elem * 'unsafe-inline' 'nonce-ChuckLovesYouChrome' data data:; ">
      <meta charset="utf-8">

Inline-script tags (three of them - all start like this):

<script nonce="ChuckLovesYouChrome"

The page is not being served by a webserver, so there is no http-header with CSP declarations in place/involved. Still I get those errors: console errors with CS declarations What am I missing?

Answer 1

The most likely explanation is that you have inline event handlers (attributes) such as onclick, onload etc. You will need to refactor them as described here https://csp.withgoogle.com/docs/adopting-csp.html. You could use 'unsafe-hashes' for CSP level 3, https://content-security-policy.com/unsafe-hashes/, but there are still a lot of level 2 browsers around and you really don't want any 'unsafe'.