Hi there,
I'm trying to make a Content Security Policy using the wizard at a website called report-uri.com. This wizard will show you the detected items on a website. I let it ran for a week and the detected items contained a lot of 'unsafe-inline', 'unsafe-eval' directives:
default-src 'unsafe-inline'
script-src-attr 'unsafe-inline'
script-src-elem 'unsafe-inline'
script-src 'unsafe-eval'
script-src 'unsafe-inline'
style-src-attr 'unsafe-inline'
style-src-elem 'unsafe-inline'
style-src 'unsafe-inline'
In my opinion the website will remain vulnerable when whitelisting these in the CSP. Are there specific directives that should have the 'unsafe-inline' or 'unsafe-eval' expressions for JCE editor (or other products) to work properly?
Thanks in advance!
I'm trying to make a Content Security Policy using the wizard at a website called report-uri.com. This wizard will show you the detected items on a website. I let it ran for a week and the detected items contained a lot of 'unsafe-inline', 'unsafe-eval' directives:
default-src 'unsafe-inline'
script-src-attr 'unsafe-inline'
script-src-elem 'unsafe-inline'
script-src 'unsafe-eval'
script-src 'unsafe-inline'
style-src-attr 'unsafe-inline'
style-src-elem 'unsafe-inline'
style-src 'unsafe-inline'
In my opinion the website will remain vulnerable when whitelisting these in the CSP. Are there specific directives that should have the 'unsafe-inline' or 'unsafe-eval' expressions for JCE editor (or other products) to work properly?
Thanks in advance!
I've done some tests with JCE Pro using the Joomla System - HTTP Headers plugin in Joomla 4 which you can use to set various header options for the site, including the CSP.
There is a fantastic article about this plugin here - https://blog.astrid-guenther.de/en/cassiopeia/10content-security-policy-joomla4/
I enabled the "Nonce" option and set two Policy Directives of script-src : 'self' and object-src : 'none'.
Note that I set this to Report-Only and used the browser console to show any errors in the report.
There were a few warnings with JCE Pro 2.9.50, but these are now fixed in JCE Pro 2.9.51 Beta - https://www.joomlacontenteditor.net/downloads/editor/pro/development
There is a fantastic article about this plugin here - https://blog.astrid-guenther.de/en/cassiopeia/10content-security-policy-joomla4/
I enabled the "Nonce" option and set two Policy Directives of script-src : 'self' and object-src : 'none'.
Note that I set this to Report-Only and used the browser console to show any errors in the report.
There were a few warnings with JCE Pro 2.9.50, but these are now fixed in JCE Pro 2.9.51 Beta - https://www.joomlacontenteditor.net/downloads/editor/pro/development
Just because you're not paranoid doesn't mean everybody isn't out to get you.
- Page :
- 1
There are no replies made for this post yet.
Be one of the first to reply to this post!
Be one of the first to reply to this post!