On Wed, Mar 5, 2014 at 11:16 AM, Nick Gleason <n.glea...@citysoft.com>wrote:
> > Hi Pete, > I've been researching CSP and it sounds like a pretty cool option. But, I > just wanted to follow up on this comment that you made > below:------------------------------------------ it will also block inline > scripts and style elements------------------------------------------ > > Are you saying that even if you have the "self" or "default" values in > place, it will block a regular old script in your page? For instance, if > you just have something like this:<script>CODE HERE</script>That will be a > problem? Why? > Hi Nick, Yes if you have the following: Content-Security-Policy: default-src 'self'; It will block any <script>code here</script> tags in your page, you can only use <script src="/some/uri"></script> This is a recognized problem in CSP1.0 and CSP 1.1 is currently in development right now with two solutions for this use case, you can specify a nonce in the header, so you would do something like this: Content-Security-Policy: script-src 'self' 'nonce-random_string_123'; Then you can do this: <script nonce="random_string_123">code here</script> You can do the same for inline style tags. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#nonce-usage-for-script-elements The second option in CSP1.1 is hash whitelisting, where you compute a hash of the script contents and put that in the header. See http://w3c.github.io/webappsec/specs/content-security-policy/csp-specification.dev.html#hash-usage-for-script-elements -- Pete Freitag - Adobe Community Professional http://foundeo.com/ - ColdFusion Consulting & Products http://hackmycf.com - Is your ColdFusion Server Secure? http://www.youtube.com/watch?v=ubESB87vl5U - FuseGuard your CFML in 10 minutes ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~| Order the Adobe Coldfusion Anthology now! http://www.amazon.com/Adobe-Coldfusion-Anthology/dp/1430272155/?tag=houseoffusion Archive: http://www.houseoffusion.com/groups/cf-talk/message.cfm/messageid:357861 Subscription: http://www.houseoffusion.com/groups/cf-talk/subscribe.cfm Unsubscribe: http://www.houseoffusion.com/groups/cf-talk/unsubscribe.cfm