we have requirement adding Content Security Policy response header, this i have added in custom Filter and below is the code snippet for the same.
res.addHeader(“Content-Security-Policy”,"script-src ‘self’ ");
I am able to see in response header but my localhost:8080/cms page is not loading saying below error.
Please find the attachment for the same, do i need to add any configuration in hippo to skip this single quotations…kindly let me know if you guys are aware of any fix for this issue.
thanks & regards
ganesh
ERROR MESG:
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”
Did you add the ‘unsafe-inline’ and ‘unsafe-eval’ keywords? That will fix the errors, but also decrease the value of your content security policy a lot.
The (main) problem is that the core of the CMS is using the Wicket framework and a lot of Wicket Ajax, which combines badly with CSP. See https://issues.apache.org/jira/browse/WICKET-5406 for details.
No you don’t. We investigated CSP ourselves, but some core libraries and frameworks used by the CMS (notable ones: Wicket, CKEditor 4 and CodeMirror) prevent us from adding a proper strict CSP by default.
Just decide yourself if a CSP with ‘unsafe-inline’ and ‘unsafe-eval’ adds enough value versus cost in your CMS implementation. The prime benefit of CSP is XSS prevention, which you don’t get with ‘unsafe-inline’ and ‘unsafe-eval’. Still such a CSP could add some value, for example to enforce HTTPs URLs for all resources. See https://developers.google.com/web/fundamentals/security/csp/ for more examples.
