Cross-site scripting (XSS) vulnerabilities are a severe threat for all high profile web applications like CoreMedia Studio. While conscientious output escaping always has to be the first choice in order to avoid cross-site scripting attacks, most modern web browsers offer a new standard called Content Security Policy (CSP) as a second line of defense (see http://www.w3.org/TR/CSP/).
Default Policy
The standard Blueprint CoreMedia Studio enables Content Security Policy by default. It sends at least the following default CSP header to the browser.
default-src 'none'; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-eval'; img-src 'self'; connect-src 'self'; object-src 'self'; font-src 'self'; media-src 'self'; frame-src <YOUR_PREVIEW_ORIGIN>
The header value represents the minimum set of directives to comply with the Studio's and its
third-party library requirements. Both, the unsafe-inline
value of the
style-src
directive and the unsafe-eval
value of the
script-src
directive are required by Ext JS.
Customize Policy
Each of the CSP directives that are included in the default header plus the
report-uri
directive can be easily customized.
Caution | |
---|---|
Note that weakening the policy settings can have severe effects on the application's security. Especially re-enabling inline script execution is considered harmful as it thwarts all efforts to prevent XSS. |
Customization is done via a set of studio.security.csp.*
properties in the
WEB-INF/application.properties
property file of the
Studio web application. Each property is responsible for
one Content Security Policy directive.
studio.security.csp.scriptSrc
: Takes a list of values for thescript-src
policy directive. Default values are'self','unsafe-eval'
.studio.security.csp.styleSrc
: Takes a list of values for thestyle-src
policy directive. Default values are'self','unsafe-inline'
.studio.security.csp.frameSrc
: Takes a list of values for theframe-src
policy directive. The hierarchy of default values for this directive is as follows.studio.previewUrlWhitelist
values if specified.Schema and authority of
studio.previewUrlPrefix
if specified.'self'
studio.security.csp.connectSrc
: Takes a list of values for theconnect-src
policy directive. Default value is'self'
.studio.security.csp.fontSrc
: Takes a list of values for thefont-src
policy directive. Default value is'self'
.studio.security.csp.imgSrc
: Takes a list of values for theimg-src
policy directive. Default value is'self'
.studio.security.csp.mediaSrc
: Takes a list of values for themedia-src
policy directive. Default value is'self'
.studio.security.csp.objectSrc
: Takes a list of values for theobject-src
policy directive. Default value is'self'
.studio.security.csp.reportUri
: Takes a list of values for thereport-uri
policy directive. If no custom list is provided, the directive is not included in the CSP header.studio.security.csp.frameAncestors
: Takes a list of values for theframe-ancestors
policy directive. Default value is'none'
. This directive is used to defend clickjacking attacks.Please note that the
frame-ancestors
directive is part of the Content Security Policy Level 2 standard which is not yet supported by all the browsers that support Content Security Policy Level 1. If required, similar functionality can be achieved for 'legacy' browsers by setting an appropriateX-Frame-Options
header.
Here is an example how an adapted property would look like.
studio.security.csp.objectSrc='self',www.exampleDomain.com
Write CSP Compliant Code
According to the default policy, inline JavaScript will not be executed. This restriction bans
both inline script
blocks and inline event handlers (for example
onclick="..."
). The first restriction wipes out a huge class of cross-site
scripting attacks by making it impossible to accidentally execute scripts provided by a
malicious third-party. It does, however, require a clean separation between content and
behavior (which is good practice anyway). The required code changes for inline JavaScript code
can be summarized as follows:
Inline
script
blocks needs to move into external JavaScript files.Inline event handler definitions must be rewritten in terms of
addEventListener
and extracted into component code.
CSP violations can be easily discovered by monitoring the browser console. All violations are logged as errors including further details about the violation type and culprit.
Customize CSP Mode
CoreMedia Studio can run in one of four supported CSP modes.
ENFORCE
: Full CSP protection is enabled. All directives are enforced and reported.ENFORCE_ALLOW_DISABLE
: Enable full CSP protection unless thedisableCsp
query parameter is set to 'true'. This mode is not recommended for a production environment.REPORT
: CSP protection is enabled in report only mode. All violations are reported using thereport-uri
directives configured instudio.security.csp.reportUri
but the directives are not enforced. This mode is not recommended for a production environment.DISABLE
: CSP protection is disabled. This setting is not recommended.
The configuration is done via the studio.security.csp.mode
key of the
WEB-INF/application.properties
property file of the
Studio web application.