Insecure Script-src and Style-src

  • Hi Dylan,

    For script-src, I am using an ‘unsafe-eval’ ‘unsafe-inline’ value
    For style-src, I am using only an ‘unsafe-inline’ value

    However, according to hardenize.com, these parameters shouldn’t be used because it renables insecure behavior that CSP disables by default. Here’s a more in-depth explanation as to why this website doesn’t recommended these values:

    Script-src, unsafe-eval: By default, CSP doesn’t allow dynamic script execution via eval and friends, but this policy overrides that behavior by specifyin ‘unsafe-eval’ in the ‘script-src’ directive. As a result, XSS defenses provided by CSP are significantly weakened.

    Script-src, unsafe-inline: By default, CSP doesn’t allow inline script execution, but this policy overrides that behavior by specifying ‘unsafe-inline’ in the ‘script-src’ directive. As a result, all XSS defenses provided by CSP are significantly weakened.

    Style-src, unsafe-line: This policy allows inline styles. Although they are not as bad as inline scripts in terms of security, an injection bug in script area would allow the attacker to modify page appearance.

    Do you have any sound recommendations to address these security concerns? If I delete these values, I end up getting many errors.

    Thanks for the help like always and I apologize for taking so much of your time!

    All my best,

    Joe

Viewing 2 replies - 1 through 2 (of 2 total)

  • i dont think there is any ‘quick’ way around this given that word press core requires the use of inline scripts to work.
    Instead, you need to use the hash-value and proceed to white-list each of them.

    Hello!

    There is a way to secure your website, which this plugin supports as well. You can set “nonces” (CSP v3) and remove unsafe attributes. This will set a nonce to each script and style insertion and mark them as ‘safe’.

    Bet regards,
    Heiko

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Insecure Script-src and Style-src’ is closed to new replies.