search

dnnsoftware / Dnn.Platform

DNN (formerly DotNetNuke) is the leading open source web content management platform (CMS) in the Microsoft ecosystem.
https://dnncommunity.org/
MIT License
1.02k stars 745 forks source link

Add Support for Content-Security-Policy: script-src to not require unsafe-inline #5075

Closed radun2 closed 1 year ago

radun2 commented 2 years ago

Description of problem

I would like to create a CSP that doesn't include unsafe-inline: (eg: Content-Security-Policy: script-src 'unsafe-inline'). If set differently will not allow for starters Persona Bar to work and this is a block to enter edit mode and so on. DNN basically needs inline scripts to work and if asked to not have inline scripts it will break.

Description of solution

Use nonce on the tag scripts that are added by DNN for its functionality. https://content-security-policy.com/nonce/

Description of alternatives considered

Use sha256-... on tag scripts that are added by DNN for its functionality. https://content-security-policy.com/hash/

Screenshots

Not applicable

Additional context

Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. I expect the attack tools to adapt to weak CSPs, but it will mean a lot of common exploits are immediately off the cards, or harder.

Affected browser

radun2 commented 2 years ago

Also maybe this library would be of help for this feature request? https://github.com/NWebsec/NWebsec

mitchelsellers commented 2 years ago

This is being discussed in issue #4850 and is a much larger impact change for the platform than it may seem due to third-party modules and other factors.

stale[bot] commented 2 years ago

We have detected this issue has not had any activity during the last 90 days. That could mean this issue is no longer relevant and/or nobody has found the necessary time to address the issue. We are trying to keep the list of open issues limited to those issues that are relevant to the majority and to close the ones that have become 'stale' (inactive). If no further activity is detected within the next 14 days, the issue will be closed automatically. If new comments are are posted and/or a solution (pull request) is submitted for review that references this issue, the issue will not be closed. Closed issues can be reopened at any time in the future. Please remember those participating in this open source project are volunteers trying to help others and creating a better DNN Platform for all. Thank you for your continued involvement and contributions!

stale[bot] commented 1 year ago

This issue has been closed automatically due to inactivity (as mentioned 14 days ago). Feel free to re-open the issue if you believe it is still relevant.

obujeiromhginsurance commented 2 months ago

This is still a security issue, I have not found any solution to this inline script that comes with DNN's login button

<a id="dnn_ctr_Login_Login_DNN_cmdLogin" title="Login" class="dnnPrimaryAction dnnDisabledAction" href="javascript:__doPostBack('dnn$ctr$Login$Login_DNN$cmdLogin','')">Login</a>

Tried nonce and unsafe-hashes and hash, no solution.

Problem login Was not able to solve this without adding unsafe-inline ERROR Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'

Based on DNN's answer this is definitely a product to be completely replaced.