tracker issue : CF-4207244

select a category, or use search below
(searches all categories and all time range)

Support for CSP in CF Tags that generate JS

| View in Tracker

Status/Resolution/Reason: Open//

Reporter/Name(from Bugbase): Peter F. / ()

Created: 02/20/2020

Components: Wishlist

Versions: 2018

Failure Type:

Found In Build/Fixed In Build: /

Priority/Frequency: Normal /

Locale/System: / Core

Vote Count: 2

Content-Security-Policy (CSP) is a browser security mechanism that allows you to restrict how resources are loaded. This offers a very good protection from XSS in browsers that support it. See for more info. 

When Content-Security-Policy is enabled it disables all inline JavaScript and Style. Many of the CF tags, such as cfform, cfwebsocket,  and all of the CF UI tags generate inline JavaScript, and thus are not compatible with CSP by default.

There are two ways you can still allow the use of inline script or styles with CSP. First, by using a nonce, and second by whitelisting a hash (eg SHA-256) of the inline script. The nonce approach would work really well here and would allow CF users to use CSP on pages that have dynamically generated javascript. 

The nonce must be a secure random string generated per request, something like generateSecretKey() could be used but ideally convert it to url safe base64. The CF user would need to have a way to obtain the nonce value used in the CF tags dynamically generated JS/CSS, so perhaps a function could be added: getRequestNonce() that would either generate or return the nonce per request. Then In the implementation of tags such as CFForm it would pass the nonce value into the inline script tags that it generates.



CSP nonce feature:
Comment by Peter F.
33165 | February 20, 2020 07:39:00 PM GMT
Using a strict Content-Security-Policy is considered security best practice today (according to OWASP), and many commercial web applications require it. Using a nonce would be enough to get this one through in a patch to CF2018, but for CF2020 strict CSP should be baked in.
Comment by Benjamin R.
33187 | February 25, 2020 11:47:47 PM GMT