I am developing an application with Vaadin and I use Content-Security-Policy in my BootstrapListener. When I test my application with OWASP ZAP, I have problem with script-src 'unsafe-inline'
(medium risk). When I delete the 'unsafe-inline', my application doesn't work.
My code:
String csp = "";
String defaultSrc = "default-src 'none'";
String styleSrc = "style-src 'unsafe-inline' 'self'";
String fontSrc = "font-src 'self'";
String scriptSrc = "script-src 'unsafe-inline' 'unsafe-eval' 'self'";
String imgSrc = "img-src 'self'";
String connectSrc = "connect-src 'self'";
String frameAncestors = "frame-ancestors 'self'";
String formAction = "form-action 'self'";
csp = Arrays.asList(defaultSenter code hererc,styleSrc,fontSrc,scriptSrc,imgSrc,connectSrc,frameAncestors,formAction).stream().collect(Collectors.joining(";"));
As per Vaadin documentation using
scriptSrc = "script-src 'unsafe-inline' 'unsafe-eval' 'self'";
is a known "limitation" or architectural choice of the devs that you can't change without major modifications in the framework:XSS/Code injection securitywise, what you can do (or may already did) is using the built in escaping for outputs:
and sanitization:
Furthermore there is a reason why those are marked as "unsafe-", the problem is that if there is a flaw in the framework or you miss an escaping then CSP can't differentiate injected code from the original. You should always "tag" your own safe scripts by putting them in external files or using nonce.