Skip to content

CMS does not work with Content Security Policy (CSP). Requires unsafe-eval / unsafe-inline for script-src / style-src #2138

New issue
New issue
Open
#6106
Open
CMS does not work with Content Security Policy (CSP). Requires unsafe-eval / unsafe-inline for script-src / style-src#2138
#6106
Labels
pinned
@ghost

Description

@ghost
ghost
opened on Mar 4, 2019

Describe the bug
I have been using Netlify CMS for sites without a content security policy. I am now trying to increase the security of my sites by adding this.
The CSP requires defining what sources are allowed for scripts, styles, frames, objects, etc.
The CSP also blocks things like eval in any JS execution and also generally inline-scripts or styles.
While it is possible to globally allow these things by setting unsafe-inline or unsafe-eval as permitted, this is not recommended, as it defeats the purpose of the CSP.

Here is the CSP I am applying to one of my sites via special file that Netlify recognises on deploy:

/*
  X-Frame-Options: sameorigin
  X-XSS-Protection: 1; mode=block
  X-Content-Type-Options: nosniff
  Referrer-Policy: strict-origin-when-cross-origin
  Content-Security-Policy: default-src 'self'; font-src 'self' fonts.googleapis.com https://use.fontawesome.com https://fonts.gstatic.com; img-src 'self'; object-src 'self' https://www.netlify.com https://identity.netlify.com; script-src 'self' https://www.google.com https://www.googletagmanager.com https://www.gstatic.com https://identity.netlify.com https://cdn.jsdelivr.net; style-src 'self' https://fonts.googleapis.com https://use.fontawesome.com; frame-src https://www.google.com

As you can see, I have already attempted to somehow make anything coming from Netlify permissible, but Firefox states (among other things):

Content Security Policy: The page’s settings blocked the loading of a resource at eval (“script-src”)
Content Security Policy: The page’s settings blocked the loading of a resource at inline (“script-src”)

To Reproduce
Deploy any site to Netlify with a Content Security Policy which does not permit unsafe-eval or unsafe-inline

Expected behavior
Once Netlify has been added as permitted source for scripts, styles, etc. for this to allow loading the CMS. This may require a way to load the Netlify CMS without an inline-script tag, but I am not seeing this issue with other scripts, like google tag manager.
Eval may be a bigger issue, as that would require a change to the CMS' code and eval maybe unavoidable.

Applicable Versions:
Tested on:

  • Firefox 65.01, Manjaro Linux
  • Chrome 72, Manjaro Linux
  • Chrome 72, Windows 10

CMS configuration
not relevant for this, presumably

Metadata

Metadata

Assignees

No one assigned

    Labels

    pinned

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions