CSP nginx nonce
I have some problems with adding CSP to my site. I configured Content-Security-Policy-Report-Only in my nginx configuration. And i get this.
adsbygoogle.js:37 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src http://example.com". Either the 'unsafe-inline' keyword, a hash ('sha256-c+dT7QO/wB/DJJUeioTL/YNq09s5o1WF1vk5RjJU/4I='), or a nonce ('nonce-...') is required to enable inline execution. (anonymous function) @ adsbygoogle.js:37
I searched solutions about that. But everywhere i see something like: "turn on 'unsafe-inline'". But its unsafe method. I think i can use "nonce-". But I dont know how to realize it in nginx conf. Can you help me?
It is not enough to modify your nginx configuration in order to use nonces.
Nonces must be generated for each request, so that attackers cannot know them (otherwise, they can just inject a script/resource with the same nonce).
Hence:
- If you’re using nginx as a reverse-proxy, your application (behind nginx) must be modified in such a way that it will generate a nonce, add that nonce to all
<script>
blocks and<style>
blocks in its output and serve the corresponding CSP header. - If you’re using nginx to serve static files, move
<script>
and<style>
contents into separate files, compute their hash, and use the hash instead.
Now, having answered the generic question, let’s talk specifics. From your error message, I think you’re talking about //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js. That script seems to be using inline styles, but isn’t under your control, so you can’t use nonces. Aside from asking Google to change the script, I don’t see what you could do.