If you want to disallow all inline scripts, then yes, this is also the easiest approach.
Just be aware that there is quite a number of different possible situations:
- no CSP or CSP without
default-src
and script-src
==> add one that allows script-src
all protocols (and 'unsafe-eval'
)
- CSP with
script-src
==> remove 'unsafe-inline'
if present
- CSP without
script-src
==> if 'unsafe-inline'
present in default-src
, copy that (without 'unsafe-inline'
) to script-src
Also, a response can contain multiple CSP headers and CSPs with differnt names (X-Content-Security-Policy
, X-Webkit-CSP
) I don’t know if firefox normally uses either of these (if the standard Content-Security-Policy
is missing).
And then there is <meta http-equiv="Content-Security-Policy" ...
.