search

ilich / MvcReportViewer

ASP.NET MVC Html Helpers for ReportViewer Control.
MIT License
282 stars 131 forks source link

Violations to Content Security Policy script-src #227

Open PetrosMaznas opened 4 years ago

PetrosMaznas commented 4 years ago

Hello,

We are in the process of implementing a Content Security Policy for out WebApplication where we are using MvcReportViewer for a long time now. After setting up our policy and specifically our script-src directive to script-src 'self'; we are experienced violatiions form the MvcReportViewer. The policy indicates that only our scripts are allowed in the WebApplication so that means that there are some inline scripts that are excecuted from somewhere else?

I want to mention here that we are using ContentSecurityPolicy-ReportOnly mode so we are allowing everything and just report the violation if any.

More specifically, we are getting several reports like: [Report Only] Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-LF0aAcx+zRwySpOdrvDMgq4aMaLpbLW5CxBIB8zWvfo='), or a nonce ('nonce-...') is required to enable inline execution.

that point to the MvcReportViewer in multiple places. One of them that I randomly discovered is the: <script type='text/javascript'>window.hasUserSetHeight = false;</script><script type='text/javascript'>window.showPrintButton = true;</script> that is created from: private const string IsHeightChangedJs = "<script type='text/javascript'>window.hasUserSetHeight = {0};</script>"; that is located in MvcReportViewer.aspx.cs if I am not mistaken. The reason behind it, is that this script is getting forced into the DOM and acts as inline script that seems to violate the policy as we don't allow inline scripts.

This is one of the examples but I can gather up the rest and make a more detailed report if that needs be. Let me know if you need me to add any other specific information for this issue.

Is there going to be any change to make MvcReportViewer csp friendly? Is there any walkaround so we can still use the nugget package and not get the violations?

Regards, Petos

ilich commented 4 years ago

Hello,

I think the error is related to jQuery references within https://github.com/ilich/MvcReportViewer/blob/master/MvcReportViewerExample/MvcReportViewer.aspx file.

`

` There are two options to fix the problem: 1. Create a custom build to load jQuery from your site 2. Update CSP to allow scripts from code.jquery.com. In this case the policy might be `Content-Security-Policy: script-src 'self' code.jquery.com"` Unfortunately I do not have to maintain the project, but feel free to fork it and send a pull request.