Getting UI Error while adding Content Security Policy


#1

Hello Guys,

we have requirement adding Content Security Policy response header, this i have added in custom Filter and below is the code snippet for the same.

res.addHeader(“Content-Security-Policy”,"script-src ‘self’ ");
I am able to see in response header but my localhost:8080/cms page is not loading saying below error.
Please find the attachment for the same, do i need to add any configuration in hippo to skip this single quotations…kindly let me know if you guys are aware of any fix for this issue.

thanks & regards
ganesh

ERROR MESG:
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”


#2

I got the fix for this, if any one facing same issues let me know guys.


#3

Did you add the ‘unsafe-inline’ and ‘unsafe-eval’ keywords? That will fix the errors, but also decrease the value of your content security policy a lot.

The (main) problem is that the core of the CMS is using the Wicket framework and a lot of Wicket Ajax, which combines badly with CSP. See https://issues.apache.org/jira/browse/WICKET-5406 for details.


#4

Hello Mathijs,

Yes, I have add both of them and it got resolved.
could you please help me, if we have any other better way yo fix this issue…

warm regards
Ganesh


#5

No you don’t. We investigated CSP ourselves, but some core libraries and frameworks used by the CMS (notable ones: Wicket, CKEditor 4 and CodeMirror) prevent us from adding a proper strict CSP by default.

Just decide yourself if a CSP with ‘unsafe-inline’ and ‘unsafe-eval’ adds enough value versus cost in your CMS implementation. The prime benefit of CSP is XSS prevention, which you don’t get with ‘unsafe-inline’ and ‘unsafe-eval’. Still such a CSP could add some value, for example to enforce HTTPs URLs for all resources. See https://developers.google.com/web/fundamentals/security/csp/ for more examples.