Content-Security-Policy warning
-
My page is displaying correctly but I am getting the following warning when I scan the site “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive. This policy contains ‘unsafe-eval’ which is dangerous in the script-src directive. This policy contains ‘unsafe-inline’ which is dangerous in the style-src directive.”, I ma using the following settings (default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:; style-src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scripts).
Any Help would be gratefully appreciated
-
1. “This policy contains ‘unsafe-inline’ which is dangerous in the script-src directive.” is really dangerous because such CSP does not protect against XSS.
If there is an XSS vulnerability on the web-page, it can be easily exploited for inserting any inline scripts.2. An
'unsafe-eval'in the script-src counts as ‘potentially dangerous’, evenmyaccount.google.comandaccount.google.compages use it. But in some conditions'unsafe-eval'can become very dangerous.
For example if you allow some public CDN in thescript-src, in case of XSS attacker can load AngularJS or VueJS library with symbolic code execution. In this case, the attacker will no longer need to insert inline scripts – he will simply inject HTML markup like:<div ng-app ng-csp>{{$eval.constructor('alert(\'XSS\')')()}}</div>3. An
‘unsafe-inline’in thestyle-srcdirective is really ‘potentially dangerous’.So your CSP:
default-src ‘self’; script-src ‘unsafe-inline’ ‘unsafe-eval’ http:; style-src ‘unsafe-inline’ http:; img-src http: data:; font-src http: data:; sandbox allow-forms allow-scriptsis not protect against XSS. An ‘unsafe-inline’ allows to inject any inline scripts, and
‘unsafe-eval’+http:allows to load any framework from public CDN and inject scripts via HTML markup.
- The topic ‘Content-Security-Policy warning’ is closed to new replies.
