Content-Security-Policy Improvement: Add 'strict-dynamic' to script-src and script-src-elem and base-uri 'self' #4170
Description
🚀 Feature Request
I propose to add 'strict-dynamic' to script-src and script-src-elem, and to include base-uri 'self'
Proposed change:
- default-src 'self' https: http: ws: wss:; font-src 'self' https: http: data:; img-src 'self' https: http: data: blob:; media-src 'self' https: http: data: blob:; object-src 'none'; script-src 'self' https: http: 'unsafe-inline' 'nonce-c7rwJ7s8WfSN0MK2VG3UWQ=='; style-src 'self' https: http: 'unsafe-inline'; style-src-attr 'unsafe-inline'; connect-src 'self' https: http: ws: wss:; report-uri /csp-violation-report; script-src-elem 'self' https: http: 'unsafe-inline' 'nonce-c7rwJ7s8WfSN0MK2VG3UWQ=='
+ default-src 'self' https: http: ws: wss:; font-src 'self' https: http: data:; img-src 'self' https: http: data: blob:; media-src 'self' https: http: data: blob:; object-src 'none'; script-src 'strict-dynamic' 'self' https: http: 'unsafe-inline' 'nonce-c7rwJ7s8WfSN0MK2VG3UWQ=='; style-src 'self' https: http: 'unsafe-inline'; style-src-attr 'unsafe-inline'; connect-src 'self' https: http: ws: wss:; report-uri /csp-violation-report; script-src-elem 'strict-dynamic' 'self' https: http: 'unsafe-inline' 'nonce-c7rwJ7s8WfSN0MK2VG3UWQ=='; base-uri 'self'🔈 Motivation
I tested the current Content Security Policy using https://csp-evaluator.withgoogle.com/ and pasted it into the tool.
As shown in the screenshot above, the evaluator flags missing base-uri and recommends adding 'strict-dynamic' to both script-src and script-src-elem.
After applying the proposed additions, the CSP score improves and the warnings disappear, as demonstrated in the second screenshot.
🛰 Alternatives
📎 Additional context
Self-hosted pwpush v1.66.1.