Highlighted

Content Security Policy issue

New Here ,
Mar 06, 2018

Copy link to clipboard

Copied

I have recently been asked to ensure our site scan is A+.. currently we are at an A because of the Content-Security-Policy header.

Currently the value is:

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.mysite.com;

The warning from the scan is that the words 'unsafe-eval' and 'unsafe-inline' are dangerous.  The issue is that whenever I remove those from the policy, I get the following error:

refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *..... etc.

All of my CS and JS are in their proper files and there is NO inline JS or CSS on my page.   It appears that coldfusion is adding script as shown below.. right above my </head> tag.. and that is what is causing the error to occur.  If I change my <cfform tag to just <form the error goes away.  Any ideas how I can fix this?

<script type="text/javascript">

<!--

    _CF_checklogin = function(_CF_this)

    {

        //reset on submit

        _CF_error_exists = false;

        _CF_error_messages = new Array();

        _CF_error_fields = new Object();

        _CF_FirstErrorField = null;

        //display error messages and return success

        if( _CF_error_exists )

        {

            if( _CF_error_messages.length > 0 )

            {

                // show alert() message

                _CF_onErrorAlert(_CF_error_messages);

                // set focus to first form error, if the field supports js focus().

                if( _CF_this[_CF_FirstErrorField].type == "text" )

                { _CF_this[_CF_FirstErrorField].focus(); }

            }

            return false;

        }else {

            return true;

        }

    }

//-->

</script>

</head>

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Views

1.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

Content Security Policy issue

New Here ,
Mar 06, 2018

Copy link to clipboard

Copied

I have recently been asked to ensure our site scan is A+.. currently we are at an A because of the Content-Security-Policy header.

Currently the value is:

default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline' *.google-analytics.com *.googleapis.com *.mysite.com;

The warning from the scan is that the words 'unsafe-eval' and 'unsafe-inline' are dangerous.  The issue is that whenever I remove those from the policy, I get the following error:

refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' *..... etc.

All of my CS and JS are in their proper files and there is NO inline JS or CSS on my page.   It appears that coldfusion is adding script as shown below.. right above my </head> tag.. and that is what is causing the error to occur.  If I change my <cfform tag to just <form the error goes away.  Any ideas how I can fix this?

<script type="text/javascript">

<!--

    _CF_checklogin = function(_CF_this)

    {

        //reset on submit

        _CF_error_exists = false;

        _CF_error_messages = new Array();

        _CF_error_fields = new Object();

        _CF_FirstErrorField = null;

        //display error messages and return success

        if( _CF_error_exists )

        {

            if( _CF_error_messages.length > 0 )

            {

                // show alert() message

                _CF_onErrorAlert(_CF_error_messages);

                // set focus to first form error, if the field supports js focus().

                if( _CF_this[_CF_FirstErrorField].type == "text" )

                { _CF_this[_CF_FirstErrorField].focus(); }

            }

            return false;

        }else {

            return true;

        }

    }

//-->

</script>

</head>

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Views

1.0K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Mar 06, 2018 0
Enthusiast ,
Aug 31, 2018

Copy link to clipboard

Copied

The cfform tags generate inline javascript, so it is not possible to use Content-Security-Policy without specifying unsafe-inline - which defeats the purpose of Content-Security-Policy to begin with.

The only alternative is to rewrite your cfform tags to use HTML form tags. If you were using validation in cfform it must be redone. It is preferable to add server side validation from a security perspective, any client side validation will need to be done in a separate js file (not inline JS).

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2018 0
LEGEND ,
Aug 31, 2018

Copy link to clipboard

Copied

With all due respect, form validation _can_ be done client-side if the developer or client want it, but server-side validation should _always_ be used.  Bar none.  There are too many things that can go wrong by using only client-side validation.  It's only benefit is to reduce webserver CPU by analyzing and displaying corrections before being sent to the webserver, which these days is pretty much only for dial-up/DSN connections for the user.

Just my two cents.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2018 0
Enthusiast ,
Aug 31, 2018

Copy link to clipboard

Copied

I totally agree, I wasn't suggesting that they only do client side validation, I was referring to the validation that the cfform tag might be doing (which would be client side validation). I have updated my post to make that more clear.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2018 1