3

So I'm loading a JavaScript file from a third party into my application which injects an iframe onto the page. When that iframe loads, it loads its own JavaScript which creates an inline style tag in the parent window.

Because of this flow, I have to have "unsafe-inline" in my content security policy for the style-src directive. Is there anything like strict-dynamic that would work for styles loaded like this? Or is there some kind of solution in which I don't have to have "unsafe-inline" listed in my CSP that still allows this one stylesheet?

Best I can come up with is to scan this redirected file every couple of hours and generate subresource integrity hashes for it to inject into my CSP on a regular basis, but this seems really fragile.

kddeisz
  • 5,162
  • 3
  • 21
  • 44
  • Do you have any other inline styles or scripts on the page? If not, is there an option to disable "injection" of this style tag and include those styles explicitly by yourself? Or is this security measure mentioned at the end of Anand Bhat's [answer](https://stackoverflow.com/questions/40144915/what-does-csp-protect-us-if-allowing-unsafe-inline) enough for your needs? – Dan Macak Mar 19 '18 at 07:21
  • You can generate a ``nonce``, which needs to be included in the CSP header and in the style tag. – allo Mar 19 '18 at 13:25
  • @DanMacák there's no option to disable the injection from the vendor unfortunately. The security measure mentioned there isn't quite enough for what we're looking for. – kddeisz Mar 19 '18 at 17:26
  • @allo I would love to generate a `nonce`, but as mentioned, I don't have control over when the styles are injected, so I don't have the ability to add a nonce to the tag as it's being added to the page. – kddeisz Mar 19 '18 at 17:27
  • @kddeisz well in that case I see 2 things you can do. First file feature or pull request to that 3rd party lib (which one is that btw?) in order to be able to exclude that style injection and specify the `style-src` something like `'self' https://3rdparty.lib/styles/* 'unsafe-inline'`. Since you for now absolutely must use inline style tag and can't use hash nor nonce, narrowing what you can load from the style tags is only solution I see. It is not as safe as excluding unsafe inline sources all together, but it is still much better than having no style-src CPS measures at all. – Dan Macak Mar 20 '18 at 06:11
  • @DanMacák Yeah this was what I was afraid of. The vendor is intercom. I've opened a ticket with them and am waiting on them to offer some kind of solution to this. Unfortunately it's closed source or I would try to build it myself. – kddeisz Mar 20 '18 at 15:16
  • Possible duplicate of [Banned inline style CSP and dynamic positioning of HTML elements](https://stackoverflow.com/questions/24713440/banned-inline-style-csp-and-dynamic-positioning-of-html-elements) – Stephen R May 02 '18 at 16:33

1 Answers1

0

Setting CSS via the CSS Object Model (CSSOM) works with CSP. Thus:

document.getElementById(id).style.left = '343px';

In this case you may have to convince the 3rd party vendor to alter their JavaScript.

source: https://stackoverflow.com/a/29089970/339440

Stephen R
  • 3,512
  • 1
  • 28
  • 45
  • In this case they're actually injecting a stylesheet into the DOM, not modifying elements. – kddeisz May 03 '18 at 16:48
  • You said: *"a JavaScript file... which injects an iframe onto the page. When that iframe loads, it loads its own JavaScript which creates an inline style tag in the parent window."* That says the style is being created from JavaScript, not read from a stylesheet. I'm not saying it will be easy to convince a third-party vendor to do things differently; merely that it is techologically possible to do what you're asking. (That said, it shouldn't be too dificult for them to change if they do agree to!) – Stephen R May 03 '18 at 20:33
  • Thanks Stephen. I get what you're saying, I'm just saying they're not setting CSS properties on DOM elements using JavaScript, they're loading an inline style tag which the browser handles. – kddeisz May 07 '18 at 15:52
  • Right, and that’s why CSP is blocking it – Stephen R May 08 '18 at 17:32