Enable Content Security Policy style-src 'self' for css styles when using jQuery

Question

I want to restrict injection of CSS styles into jsp pages by setting style-src = 'self' in HttpSecurity.headers().contentSecurityPolicy(); However the jQuery I am using is trying to inject styles into the page.

jquery-3.4.1.min.js:2 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-+PA1W6zRh5Oc60l8KTKpT7oxFVzjAUR9eAI5Pkr7MGE='), or a nonce ('nonce-...') is required to enable inline execution.

import org.springframework.context.annotation.ComponentScan;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
@Configuration
@EnableWebSecurity
@ComponentScan(basePackages = { "au.xyz.myproject" })
public class SecurityConfig extends WebSecurityConfigurerAdapter {
    @Override
    protected void configure(HttpSecurity http) throws Exception {
        http.headers().contentSecurityPolicy("default-src 'none'; worker-src 'self'; connect-src 'self'; font-src 'self';" +
                "img-src 'self'; media-src 'self'; object-src 'self'; script-src 'self'; style-src 'self'");
    }
}

How can I enable Content Security Policy style-src 'self' for CSS styles when using jQuery?

https://stackoverflow.com/questions/42922784/what-s-the-purpose-of-the-html-nonce-attribute-for-script-and-style-elements Is nonce mentioned here a solution to this? — Nevin, Jun 20 '19 at 04:15

Enable Content Security Policy style-src 'self' for css styles when using jQuery

0 Answers0