Exit
  • Global community
    • Language:
      • Deutsch
      • English
      • Español
      • Français
      • Português
  • 日本語コミュニティ
  • 한국 커뮤니티
0

Content Security Policy issue

New Here ,
Mar 06, 2018 Mar 06, 2018

I have recently been asked to ensure our site scan is A+.. currently we are at an A because of the Content-Security-Policy header.

Currently the value is:

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.mysite.com;

The warning from the scan is that the words 'unsafe-eval' and 'unsafe-inline' are dangerous.  The issue is that whenever I remove those from the policy, I get the following error:

refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *..... etc.

All of my CS and JS are in their proper files and there is NO inline JS or CSS on my page.   It appears that coldfusion is adding script as shown below.. right above my </head> tag.. and that is what is causing the error to occur.  If I change my <cfform tag to just <form the error goes away.  Any ideas how I can fix this?

<script type="text/javascript">

<!--

    _CF_checklogin = function(_CF_this)

    {

        //reset on submit

        _CF_error_exists = false;

        _CF_error_messages = new Array();

        _CF_error_fields = new Object();

        _CF_FirstErrorField = null;

        //display error messages and return success

        if( _CF_error_exists )

        {

            if( _CF_error_messages.length > 0 )

            {

                // show alert() message

                _CF_onErrorAlert(_CF_error_messages);

                // set focus to first form error, if the field supports js focus().

                if( _CF_this[_CF_FirstErrorField].type == "text" )

                { _CF_this[_CF_FirstErrorField].focus(); }

            }

            return false;

        }else {

            return true;

        }

    }

//-->

</script>

</head>

3.1K
Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines

correct answers 1 Correct answer

Enthusiast , Aug 31, 2018 Aug 31, 2018

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Translate
Enthusiast ,
Aug 31, 2018 Aug 31, 2018

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
LEGEND ,
Aug 31, 2018 Aug 31, 2018

With all due respect, form validation _can_ be done client-side if the developer or client want it, but server-side validation should _always_ be used.  Bar none.  There are too many things that can go wrong by using only client-side validation.  It's only benefit is to reduce webserver CPU by analyzing and displaying corrections before being sent to the webserver, which these days is pretty much only for dial-up/DSN connections for the user.

Just my two cents.

V/r,

^ _ ^

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Enthusiast ,
Aug 31, 2018 Aug 31, 2018
LATEST

I totally agree, I wasn't suggesting that they only do client side validation, I was referring to the validation that the cfform tag might be doing (which would be client side validation). I have updated my post to make that more clear.

Translate
Report
Community guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
community guidelines
Resources