Google chrome - Why isn39t this inline javascript blocked by content security policy

I have a page that I set the script-src of the content security policy like this:

script-src  self  *.uservoice.com *.intuit.com ajax.googleapis.com localhost:* 

When I load the page with a hard-coded inline script I have created myself to test, it is blocked like expected:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src self *.uservoice.com *.intuit.com ajax.googleapis.com localhost:* ". Either the unsafe-inline keyword, a hash ( sha256-... ), or a nonce ( nonce-... ) is required to enable inline execution.

However, when I insert a new script tag dynamically, the script isn t blocked, for example, this still executes:

$("body").append("<script>alert( xss );</script>")

I am using Chrome as the browser here for testing. I was hoping that this script would be blocked as well, since that would really help to prevent xss. Is there something I can change to block this type of script injection as well?

The script you add with append or innerHtml won t be executed unless you use eval(). So it s not violating CSP.

https://developer.mozilla.org/en-US/docs/Web/API/element.innerHTML https://developer.mozilla.org/en-US/docs/Web/API/element.innerHTML

http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0 http://www.w3.org/TR/2008/WD-html5-20080610/dom.html#innerhtml0