2

I have some problems with adding CSP to my site. I configured Content-Security-Policy-Report-Only in my nginx configuration. And i get this.

adsbygoogle.js:37 [Report Only] Refused to apply inline style because it violates the following Content Security Policy directive: "style-src http://example.com". Either the 'unsafe-inline' keyword, a hash ('sha256-c+dT7QO/wB/DJJUeioTL/YNq09s5o1WF1vk5RjJU/4I='), or a nonce ('nonce-...') is required to enable inline execution. (anonymous function) @ adsbygoogle.js:37

I searched solutions about that. But everywhere i see something like: "turn on 'unsafe-inline'". But its unsafe method. I think i can use "nonce-". But I dont know how to realize it in nginx conf. Can you help me?

Hasanagha Aliyev
  • 121
  • 3

1 Answers1

1

It is not enough to modify your nginx configuration in order to use nonces.

Nonces must be generated for each request, so that attackers cannot know them (otherwise, they can just inject a script/resource with the same nonce).

Hence:

  • If you’re using nginx as a reverse-proxy, your application (behind nginx) must be modified in such a way that it will generate a nonce, add that nonce to all <script> blocks and <style> blocks in its output and serve the corresponding CSP header.
  • If you’re using nginx to serve static files, move <script> and <style> contents into separate files, compute their hash, and use the hash instead.

Now, having answered the generic question, let’s talk specifics. From your error message, I think you’re talking about //pagead2.googlesyndication.com/pagead/js/adsbygoogle.js. That script seems to be using inline styles, but isn’t under your control, so you can’t use nonces. Aside from asking Google to change the script, I don’t see what you could do.

Michael
  • 180
  • 6