Content Security Policy (CSP) Nonce Value Not Used Within Single Quotes
Description
The Content Security Policy (CSP) on the target application uses nonce values without enclosing them in single quotes. According to the CSP specification, nonce values must be wrapped in single quotes to function correctly (e.g., 'nonce-abc123' instead of nonce-abc123). This misconfiguration may prevent the CSP from working as intended, potentially leaving the application vulnerable to cross-site scripting (XSS) attacks that the policy was designed to prevent.
Remediation
Update all CSP directives to ensure nonce values are enclosed in single quotes. Review both HTTP headers and meta tags that define CSP policies.
For HTTP Headers:
Incorrect:
Content-Security-Policy: script-src nonce-abc123Correct:
Content-Security-Policy: script-src 'nonce-abc123'
For HTML Meta Tags:
Incorrect:
<meta http-equiv="Content-Security-Policy" content="script-src nonce-abc123">Correct:
<meta http-equiv="Content-Security-Policy" content="script-src 'nonce-abc123'">
After making changes, test the CSP implementation using browser developer tools to verify that policies are correctly applied and that legitimate scripts execute while maintaining security protections.