Hello team
We were experiencing security issues with CSP security headers in header script-src because of the use of unsafe inline and unsafe eval options, which are vulnerable. I am using Vaadin 24 version. We attempted to address ‘unsafe-eval’ by using the code you provided in your github repository, to tackle ‘unsafe-inline’ we listed all inline scripts’ sha-ids to allow only those scripts, but we were still unable to load the webpage.
Therefore, can you kindly assist us with this matter by providing us with information and clarification.
How does your current CSP handling looks like?
private static void setupSecurityHeaders(HttpSecurity http) throws Exception {
http.headers(headers ->
headers
.httpStrictTransportSecurity(security -> security
.maxAgeInSeconds(Duration.ofDays(365L).getSeconds())
.includeSubDomains(true).preload(true))
.xssProtection(withDefaults())
.contentSecurityPolicy(policy -> policy.policyDirectives(
"; font-src 'self' data: https://fonts.gstatic.com" +
"; img-src 'self' data: " +
"; media-src 'self' " +
"; object-src 'self'" +
"; script-src 'unsafe-inline' 'unsafe-eval' 'self' data: " +
"; style-src 'unsafe-inline' 'unsafe-eval' 'self' data: https://fonts.googleapis.com/css "))
.addHeaderWriter(new StaticHeadersWriter("Feature-Policy", ""))
// .addHeaderWriter(new StaticHeadersWriter("X-XSS-Protection", "1; mode=block"))
.frameOptions(HeadersConfigurer.FrameOptionsConfig::sameOrigin)
.referrerPolicy(policy -> policy.policy(ReferrerPolicyHeaderWriter.ReferrerPolicy.SAME_ORIGIN)));
}
This is the present CSP headers we are using, so in script-src header, we want to remove ‘unsafe-inline’, ‘unsafe-eval’ and ‘data’
I have / had the same problem some plugin or what ever needs unsafe-eval, if its forbidden the app will not start. Did not found a valid solution
Hi team, any update on this issue
What error message do you get?
@Leif the problem if you have
response.getVaadinResponse().setHeader("Content-Security-Policy","script-src 'self' 'nonce-" + nonce + "';");
instead of
response.getVaadinResponse().setHeader("Content-Security-Policy","script-src 'self' 'nonce-" + nonce + "' 'unsafe-eval';");
The frontend loads infinitely and never comes to an end. Looks like internally anywhere is eval() used in Vaadin. So eval muss be allowed in order to get it woking (but with eval allowed)
Vaadin cannot support strict CSP settings without a little bit of application-specific configuration that is described in How to enable strict CSP in Vaadin Flow
At some point we looked into this as well. Use the CSP report header to find out what is causing issues and then you can add these signatures to csp.js. Like this, we eventually managed to get our application to run under strict CSP with nonce js files like suggested in the Vaadin documentation.
The problem with this is that unless you click through almost your complete application, you can never be sure that csp.js overrides all troublesome signature. The addition of an add-on, Vaadin upgrade, a developer doing Page.executeJs(…) all can cause CSP to trip up and unless you have a browsertest for all pages, you won’t detect it until runtime. This makes CSP risky to enable. And it then being so difficult to test, we abandoned it.
1 Like