we have requirement adding Content Security Policy response header, this i have added in custom Filter and below is the code snippet for the same.
res.addHeader(“Content-Security-Policy”,"script-src ‘self’ ");
I am able to see in response header but my localhost:8080/cms page is not loading saying below error.
Please find the attachment for the same, do i need to add any configuration in hippo to skip this single quotations…kindly let me know if you guys are aware of any fix for this issue.
thanks & regards
Refused to execute inline script because it violates the following Content Security Policy directive: “script-src ‘self’”
I got the fix for this, if any one facing same issues let me know guys.
Did you add the ‘unsafe-inline’ and ‘unsafe-eval’ keywords? That will fix the errors, but also decrease the value of your content security policy a lot.
The (main) problem is that the core of the CMS is using the Wicket framework and a lot of Wicket Ajax, which combines badly with CSP. See https://issues.apache.org/jira/browse/WICKET-5406 for details.
Yes, I have add both of them and it got resolved.
could you please help me, if we have any other better way yo fix this issue…
No you don’t. We investigated CSP ourselves, but some core libraries and frameworks used by the CMS (notable ones: Wicket, CKEditor 4 and CodeMirror) prevent us from adding a proper strict CSP by default.
Just decide yourself if a CSP with ‘unsafe-inline’ and ‘unsafe-eval’ adds enough value versus cost in your CMS implementation. The prime benefit of CSP is XSS prevention, which you don’t get with ‘unsafe-inline’ and ‘unsafe-eval’. Still such a CSP could add some value, for example to enforce HTTPs URLs for all resources. See https://developers.google.com/web/fundamentals/security/csp/ for more examples.