1

I used the unsafe-hashes for our Content-Security-Policy to override the errors for our html inline attached events, so in Chrome it works fine and scripts like this are working properly:

<a id="myAnchor" onclick="executeMyMethod()"></a>

The problem seems that for mozilla firefox the unsafe-hashes are not implemented as described here https://caniuse.com/?search=unsafe-hashes.

Is there a way to do the same in firefox? Because they suggest to replace with eventListener like this:

document.getElementById("myAnchor").addEventListener("click", executeMyMethod);

But there are a lot of different file and repos to refactor, and it is not viable.

Thanks a lot.

silvio rossi
  • 11
  • 2
  • 1
    Let's put it this way: You're responsible of the safety of your visitors, circumventing or relieving CSP is the worst you can do. It's just like you know hitting your head with a hammer hurts, but you're still hitting your head with a hammer. Don't use inline listeners, no matter how much refactoring it takes. – Teemu Jan 11 '23 at 08:45
  • Thanks for the answer, anyway I'm not trying to circumventing CSP, I'm just wondering if it exists any other solution – silvio rossi Jan 11 '23 at 08:47
  • ?? "_other solution_" is a synonym to "_circumventing_". – Teemu Jan 11 '23 at 08:51
  • :) yes, for example a good answer can be something like "I have a tool or you can build a tool to fast refactor all inline scripting" , or maybe some other solution that you ignore but I know because I have more experience than you... – silvio rossi Jan 11 '23 at 08:58
  • @silviorossi am afraid there are no 'easy outs' here unless you build them yourself - it was a bad ideia to make the listeners inline in the first place - it needs to be refactored and there are no tools for that as your html is probably diferent from mine and from any one else (you used `onclick="executeMyMethod()"` while someone else might have used `href="javascript:executeMyMethod()"` or something else.) – 537mfb Jan 11 '23 at 09:16
  • @silviorossi Well, to me it looks like "find a firefox alternative for unsafe-hash" question. If you want to know about refactoring tools, you should specifically ask for tools (not here on SO, though, as those questions are off-topic). There are tools for making bulk changes to the markup (more or less type of find-and-replace-in-files), but the JS parts need to be fixed manually. A useful feature of DOM events is event bubbling, which make it possible to benefit from [event delegation](https://stackoverflow.com/q/1687296/1169519), using it might reduce the refactoring work significantly. – Teemu Jan 11 '23 at 09:36
  • Thanks to you all, the problem is always the same: inherit an old legacy code :) Anyway if anyone has a different answer from the one I have already posted I will be glad. Thanks !! – silvio rossi Jan 11 '23 at 10:09
  • I actually didn't want to link to a cross-browser solution, but [here it is](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src#unsafe_inline_script), it's just that you simply should not hack your own site, as the docs says: "_Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides_". – Teemu Jan 11 '23 at 11:07

0 Answers0