0

I have the following csp embedded in my aws instance, however it doesn't seem to be properly configured, when I scan via Mozilla Observatory, I get the following message: Content Security Policy (CSP) implemented unsafely.

        Header set Content-Security-Policy "default-src 'unsafe-inline' https://vlibras.gov.br https://*.chargebee.com https://*.chargebeeportal.com https://*.cloudfront.net https://*.jobconvo.com https://*.amazonaws.com https://www.google-analytics.com https://jobconvo.freshdesk.com https://assets.freshdesk.com https://*.googleapis.com https://gitcdn.github.io https://*.youtube.com https://*.gstatic.com https://*.doubleclick.net https://www.google.com/recaptcha/ https://www.google.com object-src data: 'unsafe-eval' blob: 'unsafe-eval' font-src: 'self' data;"

After studying a little, am I right to think that the problem is in the unsafe-inline parameter? If so how can I get around this since I already have embedded HTML in onClick ()

GustavoNogueira
  • 389
  • 1
  • 3
  • 16
  • That's the point. Then you can't. The whole point is to disable inline javacript so most forms of xss are impossible. You can refactor your pages to use unobtrusive javascript, referenced entirely in .js files. – Gabor Lengyel Nov 30 '20 at 17:25

1 Answers1

1

Firstly, your CPS has a fatal errors - you missed ; between directives and used a wrong directives name like 'font-src:'.

Mozilla Observatory assumes CSP unsafe, because of use unsafe tokens 'unsafe-eval' and 'unsafe-inline' in in script-src/default-src.

I already have embedded HTML in onClick ()

To avoid 'unsafe-inline' you can use addEventListener("click", ) instead of <tag onClick='...'>.

To avoid 'unsafe-eval' it need to know which unsafe constructs do you use - eval() Function(), setInterval() or setTimeout(). The last two can be fixed easily (pls see in comments).

granty
  • 7,234
  • 1
  • 14
  • 21