While testing a strict CSP (Header set Content-Security-Policy "default-src 'self'; report-uri /violation.php") I found that modernizr uses inline styles, preventing a strict CSP.

To reproduce, add the CSP header to the reponse, then login as user 1 on chrome Version 56.0.2924.76 (64-bit) MacOS Sierra. On the frontpage you'll see violations listed in the developer console.

Console:

Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
f @ modernizr.min.js?v=3.3.1:3

Report via the report-uri:

{  
   "csp-report":{  
      "document-uri":"http://drupal8.dev/",
      "referrer":"",
      "violated-directive":"style-src",
      "effective-directive":"style-src",
      "original-policy":"default-src 'self'; report-uri /violation.php",
      "disposition":"enforce",
      "blocked-uri":"inline",
      "line-number":3,
      "column-number":2009,
      "source-file":"http://drupal8.dev/core/assets/vendor/modernizr/modernizr.min.js?v=3.3.1",
      "status-code":200
   }
}

Upstream issue: https://github.com/Modernizr/Modernizr/issues/1262

Comments

Heine created an issue. See original summary.

xjm’s picture

Version: 8.3.x-dev » 8.4.x-dev