data: Used in a Content Security Policy (CSP) Directive
Description
This informational alert indicates that the 'data:' URI scheme is permitted within one or more Content Security Policy (CSP) directives on the target application. While the CSP implementation itself may be valid, allowing 'data:' URIs can introduce security risks or reduce the effectiveness of the policy. This check evaluates the current CSP configuration and provides recommendations to strengthen security while maintaining compatibility.
Remediation
Review the CSP directives that allow 'data:' URIs and assess whether they are necessary for your application's functionality. Where possible, remove 'data:' from CSP directives, especially from script-src, object-src, and style-src. If data URIs are required for legitimate functionality, consider these alternatives:
1. Replace inline data URIs with externally hosted resources served from trusted domains
2. Use nonces or hashes for inline scripts and styles instead of allowing 'data:'
3. Restrict 'data:' to only the specific directives that absolutely require it (e.g., img-src for small images)
4. Implement strict input validation and output encoding to prevent injection of malicious data URIs
Example of a more restrictive CSP header:
Content-Security-Policy: default-src 'self'; script-src 'self' 'nonce-{random}'; img-src 'self' data:; object-src 'none';Consult the alert details for specific remediation advice tailored to your CSP configuration and review the provided references for implementation best practices.