What is the current best-practice for using Content-Security-Policy with modernizr?

Question

We want to secure our site with Content-Security-Policy, and even with the setting of allowing inline scripts (default-src 'self'; script-src 'self' 'unsafe-inline'), loading modernizr (2.6.2) produces 4 CSP violations:

I upgraded to the latest version (3.6.0), the develop version, and now it produces over 30 CSP violations:

I couldn't find any official statement on CSP on the modernizr site, it merely mentions that in 2012, they added a detect for Content Security Policy (https://modernizr.com/news/modernizr-262). Reading various blogs and Stack Overflow questions, I find most up-to-date best-practice from 2017 to be:

If modernizr is injecting all that inline stuff than it seems like your choices are to either (a) add all those hashes, (b) use 'unsafe-inline' (but which basically defeats the whole purpose of CSP…), or (c) don’t use modernizr.

Although, the errors I am getting occur even when using unsafe-inline.

Has anyone found a workable solution to using both Content-Security-Policy and modernizr?

Answer 1

Try using this lenient CSP default-src * 'unsafe-eval' 'unsafe-inline' 'unsafe-dynamic' data: filesystem: about: blob: ws: wss: and start removing keywords until you start getting errors, with this method you can adjust your CSP to your needs.

It would be nice if there was some sort of CSP generator where you give it a website and it just knows which CSP you need in order to not keep erroring.

Remember that * means allow all domains, so replace this with all domains you intent to support.

This of course just fixes, or solves the issue, and it depends what it's at stake, what content does your website offer, and how vulnerable would users be if an XSS attack could be carried through. CSP protects merely against XSS attacks, this is just JavaScript that could be inserted by a third party, using HTTPS for example, will make it almost impossible for a MITM to inject arbitrary code.