The biggest hurdle I am currently finding is getting CSP to work with large open source frameworks that change JavaScript on build or inject JavaScript & CSS styles.
For scripts, can 'strict-dynamic' help? It'll permit even non-external scripts being added into the document by nonced/hashed scripts so-long as they are not "parser inserted". e.g. a nonced script would be permitted to insert a script into the DOM via something like document.head.appendChild (but not via document.write).
For styles (and perhaps some particular scripts) 'unsafe-hashed-attributes' in scripts and style may be worth looking into (once it's finished). The idea is to allow things like:
<divstyle="color:red"onclick="foobar()"></div>
to be compatible with CSP (provided you know ahead of time what the attribute will be). I believe the current proposal is to hash the content of the attribute, so something like <img onerror="foobar()"> would have the same script hash as above (even though the attribute and element is different). For this reason it'll be possible to abuse these in certain situations e.g. consider if the following were legitimate code on the page, whitelisted by attribute
<aonclick="deleteAccount()">Delete account</a>
An attacker could then inject
<imgsrc=#onerror="deleteAccount()"/>
and have it execute on pageload.
That said, having to "be careful" with 'unsafe-hashed-attributes' is certainly a preferable approach to 'unsafe-inline', which essentially says "run all the things" :)
I am a software engineer focused on Building Teams, Project Management, Software Architecture, C#, .NET Core, Blazor, JavaScript, TypeScript, Azure, User Experience, Web Security, and Performance.
Using strict-dynamic is an excellent choice when possible. It is something I should investigate closer. A lot of my front ends are static sites, so that brings some challenges there.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
For scripts, can
'strict-dynamic'help? It'll permit even non-external scripts being added into the document by nonced/hashed scripts so-long as they are not "parser inserted". e.g. a nonced script would be permitted to insert a script into the DOM via something likedocument.head.appendChild(but not viadocument.write).For styles (and perhaps some particular scripts)
'unsafe-hashed-attributes'in scripts and style may be worth looking into (once it's finished). The idea is to allow things like:to be compatible with CSP (provided you know ahead of time what the attribute will be). I believe the current proposal is to hash the content of the attribute, so something like
<img onerror="foobar()">would have the same script hash as above (even though the attribute and element is different). For this reason it'll be possible to abuse these in certain situations e.g. consider if the following were legitimate code on the page, whitelisted by attributeAn attacker could then inject
and have it execute on pageload.
That said, having to "be careful" with
'unsafe-hashed-attributes'is certainly a preferable approach to'unsafe-inline', which essentially says "run all the things" :)Using strict-dynamic is an excellent choice when possible. It is something I should investigate closer. A lot of my front ends are static sites, so that brings some challenges there.