I've implemented CSP headers in my public site for security purposes, and have refactored the code to remove any instances of inline javascript like onclick=foo() and <a href='javascript: bar()'.
We've recently integrated with a 3rd party that injects code into the page. This is required on every public facing page. The issue is that their code contains a lot of inline javascript (same as mentioned above) and violates our CSP headers that disallow inline scripting.
My understanding is that if you have to add 'unsafe-inline' for scripting you might as well not implement CSP at all due to the remaining security risks.
We're able to change the CSP headers per page, but since the code is required on every page it seems like it's all or nothing.
It doesn't look like you can allow 'unsafe-inline' for only specific parts of a page, or we could just allow it for that section.
Is my only choice to allow 'unsafe-inline' and defeat the whole point of CSP?
Aucun commentaire:
Enregistrer un commentaire