Participant

Answered

Content Security Policy issue

Forum|Forum|7 years ago
March 6, 2018
1 reply
3265 views

I have recently been asked to ensure our site scan is A+.. currently we are at an A because of the Content-Security-Policy header.

Currently the value is:

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.mysite.com;

The warning from the scan is that the words 'unsafe-eval' and 'unsafe-inline' are dangerous. The issue is that whenever I remove those from the policy, I get the following error:

refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *..... etc.

All of my CS and JS are in their proper files and there is NO inline JS or CSS on my page. It appears that coldfusion is adding script as shown below.. right above my </head> tag.. and that is what is causing the error to occur. If I change my <cfform tag to just <form the error goes away. Any ideas how I can fix this?

<!--

_CF_checklogin = function(_CF_this)

{

//reset on submit

_CF_error_exists = false;

_CF_error_messages = new Array();

_CF_error_fields = new Object();

_CF_FirstErrorField = null;

//display error messages and return success

if( _CF_error_exists )

{

if( _CF_error_messages.length > 0 )

{

// show alert() message

_CF_onErrorAlert(_CF_error_messages);

// set focus to first form error, if the field supports js focus().

if( _CF_this[_CF_FirstErrorField].type == "text" )

{ _CF_this[_CF_FirstErrorField].focus(); }

}

return false;

}else {

return true;

}

//-->

</script>

</head>

This topic has been closed for replies.

Correct answer pete_freitag

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

pete_freitagCorrect answer

Participating Frequently

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

WolfShade

Legend

With all due respect, form validation _can_ be done client-side if the developer or client want it, but server-side validation should _always_ be used. Bar none. There are too many things that can go wrong by using only client-side validation. It's only benefit is to reduce webserver CPU by analyzing and displaying corrections before being sent to the webserver, which these days is pretty much only for dial-up/DSN connections for the user.

Just my two cents.

V/r,

^ _ ^

pete_freitag

Participating Frequently

I totally agree, I wasn't suggesting that they only do client side validation, I was referring to the validation that the cfform tag might be doing (which would be client side validation). I have updated my post to make that more clear.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded