michaelgregson
commented
2 years ago Hi @larkworthy,
Perhaps a year late but I'd agree; the best practice for this library would be to not inline any styles or scripts so that "default-src 'self' would be sufficient.
The most restrictive policy I could generate for version 6.0.5 is:
"default-src 'self'; script-src 'self' 'sha256-29KvUQtBdGhEjD36wVjowCcbYSzQFYz/12G+Q3SwFRE='; style-src 'self' 'sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=' 'sha256-YMtUc29HaYBAAS/bFkyPYn8pD3FtgczsgqvWSSK7weQ=' 'sha256-lFM3E0OrK9yvMbQsE+cBXQZxKgBNnlF1NKBim8i51sI=' 'sha256-IHdzGAJ/dJwX6+L9U2MXqkGDEkza1pn7T8lsJlG1zCQ='; img-src 'self' data:; font-src data:; object-src 'none'; require-trusted-types-for 'script';"
Validated at https://csp-evaluator.withgoogle.com/
The downside of this appraoch being that upgrades to the library may require updating the hashes.
VictorioBerra
What would you like to be added: I'd like the HealthChecks UI page page to support the CSP script-src header without using unsafe-inline.
Why is this needed: We use middleware (NWebSec) to set CSP headers in all our requests. The policy does not allow inline scripts without a nonce or a hash. Since the HealthCheck UI page has an inline script without a nonce or hash, the page does not load as the CSP policy blocks the script. The CSP script-src header would require unsafe-inline for the page to load. This essentially removes the XSS protection from the CSP header.
We'd like to be able to use the HealthCheck UI while maintaining the security from the CSP headers.