Skip to content

Instantly share code, notes, and snippets.

@latentflip

latentflip/index.html

Last active June 7, 2019 16:52
Show Gist options
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save latentflip/61b3102a90c31999664b6e4933a55d0e to your computer and use it in GitHub Desktop.
Save latentflip/61b3102a90c31999664b6e4933a55d0e to your computer and use it in GitHub Desktop.
Download ZIP
Raw
index.html
<head>
<!-- this will run -->
<style nonce='1234'>
.a {
color: red;
}
</style>
<!-- this won't run -->
<style>
.b {
color: red;
}
</style>
<script>
// allowed (modifying nonced sheet)
var sheet = document.styleSheets[0];
console.log(sheet);
sheet.insertRule(".c { color: red; }", 1);
// not allowed (no nonce)
var style = document.createElement("style");
style.appendChild(document.createTextNode(".d { color: red; }"));
document.head.appendChild(style);
// not allowed correct nonce
var style = document.createElement("style");
style.setAttribute("nonce", "1234");
style.appendChild(document.createTextNode(".e { color: red; }"));
document.head.appendChild(style);
</script>
</head>
<body>
<p class="a">Inline, nonce</p>
<p class="b">Inline, no nonce</p>
<p class="c">Inserted into existing nonced sheet</p>
<p class="d">Inserting new no nonce sheet</p>
<p class="e">Inserting new nonced sheet</p>
</body>
Raw
shell.sh
# Run with:
# copy the file above somewhere
npm install -g node-static
static . -a 0.0.0.0 -p 8080 -H "{ \"Content-Security-Policy\": \"script-src 'unsafe-inline'; style-src 'nonce-1234'\" }"
# visit http://{{yourip}}:8080
# NB:! localhost will not work, use a real ip/alias, browser will ignore CSP for localhost
@latentfrippery
Copy link

@latentflip, nice!

@latentfrippery
Copy link

@latentflip still nice.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment