'strict-dynamic' is present, so host-based whitelisting is disabled

Question

I'm loading a dummy JS script from origin like:

<script src="http://www.this-host.test/loadMe.js"></script>

with CSP header set to:

script-src 'self' 'strict-dynamic' 'nonce-{randomString}';

Since the script source is comming from it's origin host and is allowed by CSP header than loadMe.js should load and execute.

Instead I get:

Refused to load the script 'http://www.this-host.test/loadMe.js' because it 
violates the following Content Security Policy directive: "script-src 'self' 'strict-dynamic' 'nonce-{randomString}';. 
'strict-dynamic' is present, so host-based whitelisting is disabled.

tested on Macintosh; Mac OS X 10_15_2, browsers Chrome/79.0.3945.117, Firefox/71.0.

I don't get this message on Safari though.

Perhaps good to note that I'm testing it locally.

---

Anyway I don't want to use nonce-{randomString} when CSP header allows resources to be loaded from origin host.

Any thoughts on that?

Answer 1

According to csplite.com server with CSP header script-src 'self' 'strict-dynamic' 'nonce-{randomString}' set...

'strict-dynamic' only works in conjunction with 'hash-value' or 'nonce-value', and if they are absent, all scripts on the page will be disabled, because 'strict-dynamic' overrides the 'unsafe-inline' action and disables whitelisting of host-based sources, including the 'self' token

... which tells me that If my loadMe.js file is loading another file (or it doesn't have to) nonce="{randomString}" attribute in HTML tag must be set no matter if the file is loaded from same host or whitelisted host.