Im having an issue when implementing CSP for styles and script on an existing laravel 6 project,
i’ve manged to follow a with one of the guidance to name:
However, using default header values like ‘self’ and my localhost domain did not solve the SCP issue and it keeps breaking my site unless i add style unsafe-inline
, src unsafe-inline
and unsafe-eval
due to lot of inline style and script.
The code im using here is:
$this->addDirective(Directive::BASE, Keyword::SELF)
->addDirective(Directive::CONNECT, Keyword::SELF)
->addDirective(Directive::DEFAULT, Keyword::SELF)
->addDirective(Directive::FORM_ACTION, Keyword::SELF)
->addDirective(Directive::IMG, Keyword::SELF)
->addDirective(Directive::MEDIA, Keyword::SELF)
->addDirective(Directive::OBJECT, Keyword::NONE)
->addDirective(Directive::STYLE, [
Keyword::SELF,
'mylocaldomain.test',
//'unsafe-inline' //Not safe i know. Without this, site breaks
])
->addDirective(Directive::SCRIPT, [
Keyword::SELF,
'mylocaldomain.test',
// 'unsafe-eval', //Not safe, finding a way to fix this
])
->addNonceForDirective(Directive::SCRIPT);
// ->addNonceForDirective(Directive::STYLE);//produced more errors, commented.
But i am aware that unsafe values are not supposed to be implemented, and indeed, when i run owasp zap against my laravel app, unsafe
values are reported right away.
Currently i managed to get csp_nonce() function to pass through script, and now it does not complain, but doing thesame for style was not success due to many inline style and other js libraries calling eval().
Despite on my side already including “nonce” and “self” and “domain name”, my site is still gets broken and complains of inline style (without telling which line).
Some inline style already included nonce parameter, but it still complains.
Content-Security-Policy: The page’s settings blocked the loading of a resource at inline (“script-src”).
I’ve read many other forums and advises on Stackoverflow as i implement fixes whenever i find (trial and error)
Of course, using “unsafe-inline” value is out of the question, but what is the best practice to address eval() and inline styles with shortest time possible? (im having hundreds of pages with different blades, not sure if its logical to address them 1 by 1)
i have implementing nonce on all scripts that I am loading (does not give me proper location on the error to solve), but it still complains about eval(), and it does not providing me on error location
Content-Security-Policy: The page’s settings blocked the loading of a resource at eval (“script-src”).
Source: window.__cmp&&typeof __cmp("getCMPData")… login
I’ve also tried removing style-src
assuming that it may not be a threat like a script, but pages produces more errors on default-src
(which was never complained before)
i’ve been working on this for about 2 weeks with no specific lead due to different devs having different issue to resolve the following:
- eval()
- Inline styles
Appreciate if any kind advise on where did i do wrong and how can i go about it, as i am out of options right now.