I have a page that I set the script-src of the content security policy like this:
script-src self *.uservoice.com *.intuit.com ajax.googleapis.com localhost:*
When I load the page with a hard-coded inline script I have created myself to test, it is blocked like expected:
Refused to execute inline script because it violates the following Content Security Policy directive: "script-src self *.uservoice.com *.intuit.com ajax.googleapis.com localhost:* ". Either the unsafe-inline keyword, a hash ( sha256-... ), or a nonce ( nonce-... ) is required to enable inline execution.
However, when I insert a new script tag dynamically, the script isn t blocked, for example, this still executes:
$("body").append("<script>alert( xss );</script>")
I am using Chrome as the browser here for testing. I was hoping that this script would be blocked as well, since that would really help to prevent xss. Is there something I can change to block this type of script injection as well?