You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The question
With our use of modernizr 2.6.2 version we have detected a security vulnerability pointing to presence of unsafe- directive in content security policy header.
As per the standards and compliant with CSP, ‘unsafe-‘ prefix directives should be removed from Content Security Policy header configuration. To meet the compliance with CSP we tried to remove the ‘unsafe-‘ prefix directives (‘unsafe-inline’ and ‘unsafe-eval’), it creates an issue rendering the Modernizr scripts/styles in application.
Remediation Step Followed:
Followed the remediation steps of adding a ‘nonce’ and ‘hash’ techniques, but we were failed to add or insert the nonce/hash to the Modernizr
Modernizr has the inline css
a.yepnope.injectCss = function(a, c, d, e, g, i) { var e = b.createElement("link"), j, c = i ? h : c || f; e.href = a, e.rel = "stylesheet", e.type = "text/css"; for (j in d) e.setAttribute(j, d[j]); g || (n.parentNode.insertBefore(e, n), m(c, 0)) } }(this, document), Modernizr.load = function()
Content Security Policy header has the ‘unsafe-’ prefix directive:
Following is the version info of Modernizr we are using Modernizr 2.6.2 (Custom Build) | MIT & BSD
Can you please help us with any settings that we can do in the Modernizr to remove this header from appearing.
The text was updated successfully, but these errors were encountered:
The question
With our use of modernizr 2.6.2 version we have detected a security vulnerability pointing to presence of
unsafe-
directive in content security policy header.As per the standards and compliant with CSP, ‘unsafe-‘ prefix directives should be removed from Content Security Policy header configuration. To meet the compliance with CSP we tried to remove the ‘unsafe-‘ prefix directives (‘unsafe-inline’ and ‘unsafe-eval’), it creates an issue rendering the Modernizr scripts/styles in application.
Remediation Step Followed:
Followed the remediation steps of adding a ‘nonce’ and ‘hash’ techniques, but we were failed to add or insert the nonce/hash to the Modernizr
Modernizr has the inline css
a.yepnope.injectCss = function(a, c, d, e, g, i) { var e = b.createElement("link"), j, c = i ? h : c || f; e.href = a, e.rel = "stylesheet", e.type = "text/css"; for (j in d) e.setAttribute(j, d[j]); g || (n.parentNode.insertBefore(e, n), m(c, 0)) } }(this, document), Modernizr.load = function()
Content Security Policy header has the ‘unsafe-’ prefix directive:
default-src 'self' stats.g.doubleclick.net *.google-analytics.com *.googletagmanager.com *.transunion.com; style-src 'self' *.google-analytics.com *.googletagmanager.com *.transunion.com 'unsafe-inline'; font-src
The text was updated successfully, but these errors were encountered: