[LF7.x] CSP compatibility

Tinfo Tinfo, modified 3 Years ago.

New Member Posts: 14 Join Date: 5/14/20 Recent Posts

Hello,

is Liferay Portal CSP compliant?

Actually if we try to add CSP directive

Content-Security-Policy: script-src 'self';

the portal loads with lots of errors in browser console like these:

Content Security Policy: The page's settings blocked the loading of a resource at inline ("script-src")
Uncaught ReferenceError: Liferay is not defined
Uncaught ReferenceError: AUI is not defined

We are missing something?

Is there any plan in the future to make Liferay Portal CSP compliant by removing all inline script and style?

Zsigmond Rab, modified 3 Years ago.

RE: [LF7.x] CSP compatibility

Liferay Master Posts: 764 Join Date: 1/5/10 Recent Posts

Hi Tinfo,

Making the portal CSP compliant is one of our next enhancements. You can watch the https://issues.liferay.com/browse/LPS-134060 ticket for updates.

That is also planned to cover what to do with inline scripts and styles at a point.

I personally appreciate if you can share any experiences, further needs that you think we should consider in the implementation. I mean, beyond what is needed to be implemented for being compliant with the standard.

Thanks,

Zsigmond

Community

Company

Feedback

Ask Questions and Find Answers

Important:

Ask is now read-only. You can review any existing questions and answers, but not add anything new.

But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:

discuss.liferay.com

[LF7.x] CSP compatibility