Home > database >  Is Content Security Policy (CSP) Isolation possible?
Is Content Security Policy (CSP) Isolation possible?

Time:10-07

Here is the question/problem, I provide a JavaScript from our business domain (e.g. www.mysite.com/js/metrics.js) which is included in over 20 different web apps and include in the head of their documents. It is for analytics tracking. I'm assuming that I need to set a CSP by updating the DOM with a script-src meta tag which only applies to my code and the external JavaScripts it calls (from Akamai CDN assets.adobedtm.com), not the whole web app. Is it possible to do or will my CSP meta tag apply to any external scripts the web app loads and I'd have to know every external JavaScript all the web apps load? Is there any way to achieve this? Any ideas? This is my first time doing CSP so maybe I'm not understanding it correctly... so be gentle!

Thanks!

CodePudding user response:

Yes, your CSP meta tag will apply to any external scripts the web app loads and in common you have to know every external JavaScript all the web apps load.
But if all scripts you load are from assets.adobedtm.com you can just add this source to the script-src directive:

 script-src assets.adobedtm.com

and all external scripts from it will be allowed.

Also CSP provides a possibility to do what you want - the 'strict-dinamic' token paired with 'nonce-value' or 'hash-value'. But Safari still does not implemented this (it support by Chrome, Edge and Firefox). If you have CSP with 'nonce-value' like:

 script-src 'nonce-SomeSecureValue' 'strict-dinamic';

than:

 <script src='https://domain/script.js' nonce='SomeSecureValue'>

will be allowed to load and any its child scripts it inserts will be allowed too.

In case CSP with 'hash-value':

 script-src 'sha256-HashOfScriptAllowed' 'sha256-HashOfScript2Allowed' 'strict-dinamic';

than:

 <script src='https://domain/script.js' integrity='sha256-HashOfScriptAllowed'>

will be allowed to load and any its child scripts it inserts will be allowed too. But Firefox has a bug and does support 'hash-value' for inline scripts only, not for external.

Alternatively you can use inline <script nonce='SomeSecureValue'> dynamically create script tags and load external scripts</script> and allow it via nonce or hash. All its child scripts will be allowed.
The Safari's 'strict-dynamic' bug can be bypassed using Google's strict CSP.

Page link:https//www.codepudding.com/database/143171.html

Prev:How to implement function in interface with generic argument types?
Next:Problems with bcrypt hash encryption - node.js
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding