Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.

Content Security Policy?

I'd like to put a Content Security Policy in place. 

Here's the line of code I added to .htaccess: Header set Content-Security-Policy "default-src https:"

I have Photo Album module that I've configured with the Slideshow content action and the Default content display.

When I have the above Content Security Policy active, the slidshow doesn't appear. Once comment out the Content Security Policy from .htaccess, the slideshow appears. I think the reason the slideshow doesn't appear is because it uses an inline script. I know that  I could add 'unsafe-inline' but that won't provide any XSS protection. 

How can I have the inline script and still have XSS protection?


  • edited August 2016
    I assume this is a secure (https) site? What does the browser debug 'console' tell you when you load the page? There's an article at which talks to inline-scripts near the bottom...the fix might require some coding changes?
    • Either the 'unsafe-inline' keyword, a hash ('sha256-ZVjd2zfSTfAVh1y7eCcNk0SPGUQOP/H8vzrFJIVgg90='), or a nonce ('nonce-...') is required to enable inline execution.
    Most external scripts require some inline code to actually run which is likely the case above...e.g., our 'scripts' are on the view template itself and not an external file.

    In a simple local test, not only are all inline scripts blocked, but also inline styles. It also won't allow the editor to work, etc... Current versions of Exponent afford quite a bit of XSS protection by scrubbing ALL input via forms and the fact the only scripts/forms, etc... which aren't scrubbed are text entered within a code snippet module.
  • Here's is an entry I was able to get things working, but it may actually turn off the features you are tyring to implement?
    Header set Content-Security-Policy "default-src 'self'; media-src *; img-src *;  font-src *; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"
    Basically it defaults to allowing external loading of files from 'self', loading media, img, & font from anywhere (*) and allows for unsafe-inline scripts and styles along with unsafe eval() in scripts. The list of acceptable domains is based on loading the google maps api and a google font. All that being said, Facebook buttons still won't load because they are coming in 'frames' and since we don't set it above, it default's to 'self'. I'd have to add a frame-src 'self' with about 3 domains.
Sign In or Register to comment.