Fix guide · high · csp_data_uri_in_script_src

CSP allows data: in script-src

Why it matters

data: URIs let you embed an entire script's body in the URL itself. When CSP permits data: in script-src, you've effectively re-enabled inline scripts via a sideline — the attacker's script doesn't need a hash, doesn't need a nonce, doesn't need to be hosted anywhere. They just need a way to inject one tag.

The pattern usually shows up because the developer needed data: in img-src (for inline base64 images) and copied the directive into script-src by mistake, or because a CSP generator tool defaulted to it.

How to fix it

Remove data: from script-src. Keep it in img-src if you actually use inline images:

# BEFORE
script-src 'self' data:; img-src 'self' data:

# AFTER
script-src 'self'; img-src 'self' data:

If you have a legitimate need for data: scripts (rare — usually a service worker registration pattern), use a nonce or hash for that specific case instead of a blanket allow.

Full guide: /blog/csp-bypass-vibe-coded.

Did vibecheck flag this on your app?

If you reached this page from a vibecheck inspection report, the redacted match in your scan output is the exact string we found in your bundle. After applying the fix above, run the inspection again — the finding should clear.