Details
-
Task
-
Resolution: Fixed
-
L3 - Default
-
None
Description
Acceptance Criteria (Required on creation):
- The script-src part of our default Content Security Policy defines the following values:
- strict-dynamic
- nonce-<value> with a randomly generated value when the index page is delivered
- unsafe-eval (needed for webapp plugins and embedded forms)
- script-src does not define the following values
- unsafe-inline
- default-src defines only the minimal additional content sources that we need to for other content types
- The backend generates a secure random nonce, returns a new value with the CSP on every request to the index page, and inserts the nonce into any <script> tags that our HTML pages use (see https://content-security-policy.com/strict-dynamic/)
- Any unnecessary use of inline scripts in our codebase is refactored into an external resource
- Webapp plugins and embedded forms still work. It's still possible to include cam-script and regular script elements in the corresponding html files
- Our CSP documentation mentions that unsafe-eval can be removed from the CSP if webapp plugins and embedded forms are not used