Ask Questions and Find Answers
Important:
Ask is now read-only. You can review any existing questions and answers, but not add anything new.
But - don't panic! While ask is no more, we've replaced it with discuss - the new Liferay Discussion Forum! Read more here here or just visit the site here:
discuss.liferay.com
RE: RE: CSP unsafe-inline unsafe-eval
Hello,
Motivation:
From pentesting there are findings like:
"Potentially insecure policy ineffective headers:
Content-Security-Policy"
Or from https://securityheaders.com/
there is:
"This policy contains 'unsafe-inline' which is
dangerous in the script-src directive. This policy contains
'unsafe-eval' which is dangerous in the script-src directive."
Remediation:
There is no need for “unsafe-inline” and
“unsafe-eval” directives, fix the Content-Security-Policy header.
Testing:
When "unsafe-inline" and
"unsafe-eval" are removed within the script-src directive
then the login page is disabled. Login form (inputs and submit button)
throwing the following to the browser console:
"Refused to
execute inline script because it violates the following Content
Security Policy directive: ..."
"Uncaught
ReferenceError: Liferay is not defined"
And I think there are
more buttons and control elements disabled within the portal.
Conclusion:
I know this is rather a recommendation than a
limitation. But according to:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
"Disallowing inline styles and scripts is one of the biggest
security wins CSP provides."
So my question is: Is there any
Liferay DEV plan to eliminate
"unsafe-inline"|"unsafe-eval" directives?
Hi Václav,
We have been working on CSP support in the portal already. You can watch the https://liferay.atlassian.net/browse/LPD-16463 initiative and the related tickets. It's still behind feature flag but we are working on releasing a basic set of directives to support. We're just planning how to extend the list of the supported directives in time afterwards. Eliminating 'unsafe-inline' and 'unsave-eval' will be a step in the process.
Regards,
Zsigmond
Thank you, Zsigmond.