'unsafe-inline' required in script-src content-security-policy to load excel-web-16.00.js

reidbill commented 3 years ago

Message from office-js bot: We’re closing this issue because it has been inactive for a long time. We’re doing this to keep the issues list manageable and useful for everyone. If this issue is still relevant for you, please create a new issue. Thank you for your understanding and continued feedback.

Our security team would like us to have a strict content-security-policy without any 'unsafe-inline' within our directives. Currently if we remove 'unsafe-inline' from the script-src directive we get an error loading excel-web-16.00.js

Expected Behavior

We would like to be able to remove the 'unsafe-inline' from our script-src to make the app more secure.

Current Behavior

excel-web fails to load with this error in the console excel-web-16.00.js:26 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ICa0DhwZQJsOd/Rn0N8H6FdQ71GfNL+op2zhAQ+Y4mM='), or a nonce ('nonce-...') is required to enable inline execution.

Steps to Reproduce, or Live Example

to reproduce create an addin for excel and set the content security policy script-src directive to not include 'unsafe-inline'

Context

Customers want to be assured of the best security possible, removing 'unsafe-linline' helps to prevent xss attacks

Your Environment

Platform [PC desktop, Mac, iOS, Office on the web]: all environments
Host [Excel, Word, PowerPoint, etc.]: Excel
Office version number: __
Operating System: windows / mac
Browser (if using Office on the web): Edge/Chrome/firefox/safari

Useful logs

[ ] Console errors
[ ] excel-web-16.00.js:26 Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-ICa0DhwZQJsOd/Rn0N8H6FdQ71GfNL+op2zhAQ+Y4mM='), or a nonce ('nonce-...') is required to enable inline execution.
[ ] Screenshots
[ ] Test file (if only happens on a particular file)

AlexJerabek commented 3 years ago

Thanks for question @reidbill.

Tagging @mattgeim and @jeremy-msft to help answer.

lindalu-MSFT commented 3 years ago

@mattgeim @jeremy-msft @lumine2008 Do we need any more information from the customer to investigate? This issue needs attention. Thanks, linda

jeremy-msft commented 3 years ago

Assigning over to @mattgeim

OfficeDev / office-js