8.0.0 does not recognize strict-dynamic header sent by site #12777
Description
FAQ
- Yes, my issue is not about variability or throttling.
- Yes, my issue is not about a specific accessibility audit (file with axe-core instead).
URL
https://thomasbrodhead.com/
What happened?
Windows 10
Chrome Canary Version 93.0.4573.0
Under Best Practices, Lighthouse fails my site (https://thomasbrodhead.com) for not having a strong CSP, issuing this message:
Ensure CSP is effective against XSS attacks
A strong Content Security Policy (CSP) significantly reduces the risk of cross-site scripting (XSS) attacks. Learn more
I'm using a robust CSP that includes a script-scr with strict-dynamic. If you audit my site with the Google CSP tester:
...it will show, among the other headers, 'script-src' with a nonce, like this:
script-src 'unsafe-inline' 'self' http: https: 'nonce-qYxgVxi3d/0zIpqOy2fapE2dVhVMp3ODdxVdXGK+' 'strict-dynamic' ;
I employ two top-level scripts that are nonced, and all subsequent scripts are called by them, making use of 'strict-dynamic'. (I also delete my scripts from the DOM after they've been attached and run.)
Is the Lighthouse auditor not reading the CSP header my site is sending?
What did you expect?
A passing score on the strong CSP audit.
What have you tried?
I've double checked my CSP using https://csp-evaluator.withgoogle.com/
How were you running Lighthouse?
Chrome DevTools
Lighthouse Version
8.0.0
Chrome Version
93.0.4573.0
Node Version
No response
Relevant log output
No response