"support older browsers" nonce fix #31
Comments
|
Are these versions of iOS Safari still supported? (I'm asking because I don't own any Apple products, so I don't have a frame of reference. This could be an "Internet Explorer 11" bug or an "Internet Explorer 5.5" bug and I wouldn't know which.) |
|
Apple seems to come out with a new iOS about every year or so, and the current version is 11 – so iOS 9 certainly isn't new, but not ancient either. Maybe on par with IE 11 or possibly 10. A lot of people are still on iOS 9 or 10 because certain iPhones and iPads max out at that OS. I believe it falls within a reasonable “older browsers”. iOS 5 or lower would be analogous to IE 6.... (Edit: more like iOS 1 or 2....) |
|
Looked it up. iOS 9 was introduced in September 2015 |
|
Okay, I did some testing with an inline not-nonced Style, and Script, tag. So... "Pass" means the browser blocked the non-nonced Style and Script. "Fail" means it did not block the non-nonced Style or Script:
Results:
|
|
Hi, this is very interesting. The CSP evaluator also recommends this approach, so we could the |
Older versions of iOS Safari (iOS 9 and earlier) don't understand CSP nonces. So when using nonces, if you want those browsers to work you have to add unsafe-inline as well. Of course, this is less secure again.
Firefox and Edge ignore the "unsafe-inline" directive if nonces are also called, so this is fine in those browsers; but... I can't determine if Chrome or newer versions of iOS Safari (10+) do the same. Thus, I'm not positive that just adding unsafe-inline is the correct (safe) fix. Worth investigating though.
The text was updated successfully, but these errors were encountered: