We are getting a warning for the CSP.
Content-Security-Policy: Failed to parse unrecognised source http:'nonce-CsqgAsImcPbw75pXcaCQ8pd2nV9Pbsma'
We are using the default CSP Integration, I don’t remember seeing this previously, so it might be a recent error.
Any ideas anyone?
Where are you seeing this warning? I tried visiting your site and didn’t see anything.
Hi hrishikesh thanks for your reply, I should have mentioned the warning was in the browser console, but it seems only in Firefox (not Chrome or Safari)
Content-Security-Policy: Failed to parse unrecognised source http:'nonce-0Mz+C7I2cBxSy/lHNNZ4FiKw3DmQZEJc'
Maybe it is just a browser issue?
Actually, it also appears in the Lighthouse Report on Chrome and Firefox
The source list for the Content Security Policy directive 'script-src' contains an invalid source: 'http:'nonce-N22NBsjFYA9PvsIO0QYRLTwEHcUd53re''. It will be ignored.
Any ideas?
hi are you still having issues with this? Sorry we missed this response on your thread.
Hi SamO, yes still a similar issue on Firefox, but it has changed, no longer the nonce error but:
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified shoesforindustry.net
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified shoesforindustry.net
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified shoesforindustry.net
Content-Security-Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified shoesforindustry.net
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified
It’s likely a Firefox issue: javascript - Content security policy including a script - Stack Overflow
Thank hshrishikes, but I just noticed I am still getting it on Chrome on a different site with the original error:
The source list for the Content Security Policy directive 'script-src' contains an invalid source: 'http:'nonce-Jd0DtYGYvyZicATdKlv87hcDskc3ONcO''. It will be ignored.
On same site with Firefox, note the first one one
Content-Security-Policy warnings 10
Content-Security-Policy: Failed to parse unrecognised source http:'nonce-YZvuJ44BaytgqwC9v4RiPOagNGWKFmsy'[andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring duplicate source 'unsafe-inline' [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Couldn't parse invalid host 'unsafe-inline' [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “'self'” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “https:” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “http:” within script-src: ‘strict-dynamic’ specified [andreainsworth.com](https://andreainsworth.com/)
Content-Security-Policy: Ignoring “'unsafe-inline'” within script-src: nonce-source or hash-source specified[andreainsworth.com](https://andreainsworth.com/)z
Any ideas?
Russ
+44 7488 708 692
Hi @AudioBear,
I think this may be due to the prefixing of “http” before the CSP nonce. Can you confirm what you are using to apply the CSP protections, and if you are using a framework?
I expect there are two “problems” here. The logs beginning with “ignoring” seem to just be informative logs explaining your CSP config. (Without knowing your configuration we are unable to advise on best practices here)
The real issue is the invalid source which as I said I think is likely to be the mixture of prefixing a CSP nonce with a protocol (http)… likely confusing the browser about whether the value is a URI or actually a nonce.
Cheers kylesloper, I appreciate your response.
So ignoring the ‘informative’ log entries and focussing on the odd html nonce in the CSP header:
http:'nonce-EIPl3UPVq/btJiltkJiHLfqltuFP9oC/
I’ve been through the site and can’t find any js ‘http’ stuff and have no idea where it is coming from. We use a CMS which generates the static site and we publish using netlify cli.
Is there anything else I can look at or other some means by which I can narrow down where the issue is coming from?
Russ
Hi @AudioBear, I have done some reading up on CSP headers and how Netlify integrates its CSP enforcement.
Going back to this header:
http:'nonce-EIPl3UPVq/btJiltkJiHLfqltuFP9oC/
It seems there is nothing wrong with this header value. I initially believed the lack of whitespace between the http: and nonce values was the problem. It turns out this is completely fine syntax and the browser has no problem interpreting it.
I recommend you read this blog post which explains how Netlify integrates CSP protections Introducing the Dynamic Content Security Policy (CSP) Integration
Looking at your site’s html it looks like whilst the CSP header is being applied, inline scripts in your site are not given this nonce - which would throw this error you can see in the browser console.
To fix this I’d suggest removing the CSP integration from your site in the admin settings UI
Integrations → Security → CSP Integration
Then to test:
Open dev-tools and inspect the inline script at the top which removes the no-js class from the html element. Check that the html tag has a nonce attribute with:
Let me know how you get on, and apologies for the unnecessary complexity caused earlier
Thanks for the info Kylesloper.
I guess you must have seen the site when we had removed the CSP and then re-enabaled it to see if that was the problem 
So as per your suggestions we re-did the CSP, updated our netlify-cli to the latest version (via brew), cleared caches and redeployed.
All the script elements have Nonces’s as expected.
Sadly the result is the same but still the warning.
Content-Security-Policy: Failed to parse unrecognised source http:'nonce-T8IShZxL0aHMNUjtgs0CUX/+OMqZrnzh’
We have this same system, working on other sites with no CSP errors?
Russ
+44 7488 708 692
Thanks hrishikesh, sorry if it was not clear from the above, I am happy with the warnings on shoesforindustry.net, it was for a client website:
In Chrome Canary
The source list for the Content Security Policy directive 'script-src' contains an invalid source: 'http:'nonce-Ade0MsIziJYo7KBONYsXAKwI2jjh8QaX''. It will be ignored.
and Firefox
Content-Security-Policy: Failed to parse unrecognised source http:'nonce-PYlIKHuKI+MXAUAQPXdpGitZppM2TcaU'
Looking at the headers gives this:
content-security-policy: script-src 'nonce-XCTElSnZUQ+g0cR6uZxIcIG7DIAy83e7' 'strict-dynamic' 'unsafe-inline' 'self' https: http:'nonce-MOqFEfZXFmpgxaxLMjQBwW+D+VAFgevq' 'strict-dynamic' 'unsafe-inline' 'self' https: http:; report-uri /.netlify/functions/__csp-violations
I’ve asked the devs to check this further.
Thanks hrishikesh, I look forward to hearing from them.
Any update on this hrishikesh?
hey @AudioBear thanks for checking in. We don’t have an additional update on this one just yet but have confirmed that the dev team will be doing some work in this area in the next couple of weeks. we’ll be sure to follow up again here as soon as we have the next steps.
