While testing a strict CSP (Header set Content-Security-Policy "default-src 'self'; report-uri /violation.php") I found that modernizr uses inline styles, preventing a strict CSP.

To reproduce, add the CSP header to the reponse, then login as user 1 on chrome Version 56.0.2924.76 (64-bit) MacOS Sierra. On the frontpage you'll see violations listed in the developer console.


Refused to apply inline style because it violates the following Content Security Policy directive: "default-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-5uIP+HBVRu0WW8ep6d6+YVfhgkl0AcIabZrBS5JJAzs='), or a nonce ('nonce-...') is required to enable inline execution. Note also that 'style-src' was not explicitly set, so 'default-src' is used as a fallback.
f @ modernizr.min.js?v=3.3.1:3

Report via the report-uri:

      "original-policy":"default-src 'self'; report-uri /violation.php",

Upstream issue: https://github.com/Modernizr/Modernizr/issues/1262


Heine created an issue. See original summary.

xjm’s picture

Version: 8.3.x-dev » 8.4.x-dev