Why is OWASP Zap warning about CSP script-src 'unsafe-inline' when that is not present?

Question

I used OWASP Zap to scan one of our web servers and a warning that puzzles me is script-src unsafe-inline. The report says the following:

URL	https://product.example.com/step1.html
Method	GET
Parameter	content-security-policy
Attack
Evidence	frame-src 'self'; frame-ancestors 'self' https://site1.example.com https://site2.example.com; object-src 'none';
Description	Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks. Including (but not limited to) Cross Site Scripting (XSS), and data injection attacks. These attacks are used for everything from data theft to site defacement or distribution of malware. CSP provides a set of standard HTTP headers that allow website owners to declare approved sources of content that browsers should be allowed to load on that page — covered types are JavaScript, CSS, HTML frames, fonts, images and embeddable objects such as Java applets, ActiveX, audio and video files.
Other Info	script-src includes unsafe-inline.

It's not configured to use unsafe-inline but it still warns about it. What am I missing?

Answer 1

As one of the main usages of CSP is to prevent XSS and the downstream effects of XSS such as data exfiltration, blocking inline scripts is vital and ZAP expects your CSP to prevent inline scripts.

CSP provides an allowlist of resources you want to enable. But it only does so for the directives that you have implemented. In your policy there are no directives that controls script, and hence inline script is allowed. You can implement the script-src directive without 'inline-script'. Alternatively you can implement default-src, which is used as a fallback when script-src is not present. Another option is to implement script-src-elem which first falls back to script-src and then to default-src, but it doesn't yet seem to be supported in all browsers.