Description

The Content Security Policy (CSP) on the target application uses nonce values without enclosing them in single quotes. According to the CSP specification, nonce values must be wrapped in single quotes to function correctly (e.g., 'nonce-abc123' instead of nonce-abc123). This misconfiguration may prevent the CSP from working as intended, potentially leaving the application vulnerable to cross-site scripting (XSS) attacks that the policy was designed to prevent.

Remediation

Update all CSP directives to ensure nonce values are enclosed in single quotes. Review both HTTP headers and meta tags that define CSP policies.

For HTTP Headers:
Incorrect:

Content-Security-Policy: script-src nonce-abc123
Correct:
Content-Security-Policy: script-src 'nonce-abc123'

For HTML Meta Tags:
Incorrect:
<meta http-equiv="Content-Security-Policy" content="script-src nonce-abc123">
Correct:
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc123'">

After making changes, test the CSP implementation using browser developer tools to verify that policies are correctly applied and that legitimate scripts execute while maintaining security protections.

References

Using Content Security Policy (CSP) to Secure Web Applications

The dangers of incorrect CSP implementations

Leverage Browser Security Features to Secure Your Website

Related Vulnerabilities

Multiple Content Security Policy (CSP) Implementation Detected

Invalid SSL Certificate

Docker Registry API is accessible without authentication

ViewState MAC Disabled

Cross-Origin Opener Policy (COOP) Not Implemented

Severity

Info

Classification

CWE-358

Tags

Configuration