Go to main content

help desk

Is extenso allowing Content Security Policy?

How to prevent cross-site scripting and related attacks?

Asked on 2022-01-11 14:41:00

OFFICIAL ANSWER

Content Security Policy

computer security concept, to prevent cross-site scripting and related attacks

CSP is implemented in Extenso in sed_site_config:

 

 

The default directive is rather unsafe. The page_v3 template implement this code:

 

{_{
 // Implement Content-Security policy
 site_config = sql(single:true, "select csp,csp_value from sed_site_config");
 console("SITE=" .+ stringnify(site_config.rows));
 if site_config.rows.csp_value ne "" && site_config.rows.csp eq "yes" then
 }}
 \{_{  nonce = uuid();
 console("NONCE=".+nonce);
 csp = resub(dq(()), "##\s*nonce\s*##",nonce,"g");
 headers_out("Content-Security-Policy", csp);
 console("CSP=" .+ csp);
 }}
 {_{
 endif
}}

 

The variable nonce could be used to identify inline CSS and Javascript if you implement the following CSP directive:

 

default-src https:; style-src https: 'nonce-## nonce ##'; script-src https: 'nonce-## nonce ##'

 

In your inline CSS and Javascript you could use:

 

 <style nonce="{_{ nonce }}">
 h1 { color: blue;} 
 </style>  <script nonce="{_{ nonce }}">
 console.log('test');
 </script>
Answer by:
Pierre Laplante

Replied on: 2022-01-12 09:36:00