Content Security Policy issue

Report · Mar 06, 2018

I have recently been asked to ensure our site scan is A+.. currently we are at an A because of the Content-Security-Policy header.

Currently the value is:

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.mysite.com;

The warning from the scan is that the words 'unsafe-eval' and 'unsafe-inline' are dangerous. The issue is that whenever I remove those from the policy, I get the following error:

refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *..... etc.

All of my CS and JS are in their proper files and there is NO inline JS or CSS on my page. It appears that coldfusion is adding script as shown below.. right above my </head> tag.. and that is what is causing the error to occur. If I change my <cfform tag to just <form the error goes away. Any ideas how I can fix this?

<!--

_CF_checklogin = function(_CF_this)

{

//reset on submit

_CF_error_exists = false;

_CF_error_messages = new Array();

_CF_error_fields = new Object();

_CF_FirstErrorField = null;

//display error messages and return success

if( _CF_error_exists )

{

if( _CF_error_messages.length > 0 )

{

// show alert() message

_CF_onErrorAlert(_CF_error_messages);

// set focus to first form error, if the field supports js focus().

if( _CF_this[_CF_FirstErrorField].type == "text" )

{ _CF_this[_CF_FirstErrorField].focus(); }

}

return false;

}else {

return true;

}

//-->

</script>

</head>

Report · Aug 31, 2018

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Report · Aug 31, 2018

With all due respect, form validation _can_ be done client-side if the developer or client want it, but server-side validation should _always_ be used. Bar none. There are too many things that can go wrong by using only client-side validation. It's only benefit is to reduce webserver CPU by analyzing and displaying corrections before being sent to the webserver, which these days is pretty much only for dial-up/DSN connections for the user.

Just my two cents.

V/r,

^ _ ^

Report · Aug 31, 2018

I totally agree, I wasn't suggesting that they only do client side validation, I was referring to the validation that the cfform tag might be doing (which would be client side validation). I have updated my post to make that more clear.

Content Security Policy issue

1 Correct answer