RE: RE: CSP unsafe-inline unsafe-eval

2024-02-21T08:01:21Z

Thank you, Zsigmond.

RE: CSP unsafe-inline unsafe-eval

2024-02-21T08:01:25Z

Hi Václav,

We have been working on CSP support in the portal already. You can watch the https://liferay.atlassian.net/browse/LPD-16463 initiative and the related tickets. It's still behind feature flag but we are working on releasing a basic set of directives to support. We're just planning how to extend the list of the supported directives in time afterwards. Eliminating 'unsafe-inline' and 'unsave-eval' will be a step in the process.

Regards,
Zsigmond

CSP unsafe-inline unsafe-eval

2024-02-20T09:26:03Z

Hello,

Motivation:
From pentesting there are findings like:
"Potentially insecure policy ineffective headers: Content-Security-Policy"
Or from https://securityheaders.com/ there is:
"This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive."

Remediation:
There is no need for “unsafe-inline” and “unsafe-eval” directives, fix the Content-Security-Policy header.

Testing:
When "unsafe-inline" and "unsafe-eval" are removed within the script-src directive then the login page is disabled. Login form (inputs and submit button) throwing the following to the browser console:
"Refused to execute inline script because it violates the following Content Security Policy directive: ..."
"Uncaught ReferenceError: Liferay is not defined"
And I think there are more buttons and control elements disabled within the portal.

Conclusion:
I know this is rather a recommendation than a limitation. But according to:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
"Disallowing inline styles and scripts is one of the biggest security wins CSP provides."
So my question is: Is there any Liferay DEV plan to eliminate "unsafe-inline"|"unsafe-eval" directives?