loading table of contents...

8.2. Content Security Policy

Cross-site scripting (XSS) vulnerabilities are a severe threat for all high profile web applications like CoreMedia Studio. While conscientious output escaping always has to be the first choice in order to avoid cross-site scripting attacks, most modern web browsers offer a new standard called Content Security Policy (CSP) as a second line of defense (see http://www.w3.org/TR/CSP/).

Default Policy

The standard Blueprint CoreMedia Studio enables Content Security Policy by default. It sends at least the following default CSP header to the browser.

default-src 'none';
style-src 'self' 'unsafe-inline';
script-src 'self' 'unsafe-eval';
img-src 'self';
connect-src 'self';
object-src 'self';
font-src 'self';
media-src 'self';
frame-src <YOUR_PREVIEW_ORIGIN>

The header value represents the minimum set of directives to comply with the Studio's and its third-party library requirements. Both, the unsafe-inline value of the style-src directive and the unsafe-eval value of the script-src directive are required by Ext JS.

Customize Policy

Each of the CSP directives that are included in the default header plus the report-uri directive can be easily customized.

[Caution]Caution

Note that weakening the policy settings can have severe effects on the application's security. Especially re-enabling inline script execution is considered harmful as it thwarts all efforts to prevent XSS.

Customization is done via a set of studio.security.csp.* properties in the WEB-INF/application.properties property file of the Studio web application. Each property is responsible for one Content Security Policy directive.

  • studio.security.csp.scriptSrc: Takes a list of values for the script-src policy directive. Default values are 'self','unsafe-eval'.

  • studio.security.csp.styleSrc: Takes a list of values for the style-src policy directive. Default values are 'self','unsafe-inline'.

  • studio.security.csp.frameSrc: Takes a list of values for the frame-src policy directive. The hierarchy of default values for this directive is as follows.

    • studio.previewUrlWhitelist values if specified.

    • Schema and authority of studio.previewUrlPrefix if specified.

    • 'self'

  • studio.security.csp.connectSrc: Takes a list of values for the connect-src policy directive. Default value is 'self'.

  • studio.security.csp.fontSrc: Takes a list of values for the font-src policy directive. Default value is 'self'.

  • studio.security.csp.imgSrc: Takes a list of values for the img-src policy directive. Default value is 'self'.

  • studio.security.csp.mediaSrc: Takes a list of values for the media-src policy directive. Default value is 'self'.

  • studio.security.csp.objectSrc: Takes a list of values for the object-src policy directive. Default value is 'self'.

  • studio.security.csp.reportUri: Takes a list of values for the report-uri policy directive. If no custom list is provided, the directive is not included in the CSP header.

  • studio.security.csp.frameAncestors: Takes a list of values for the frame-ancestors policy directive. Default value is 'none'. This directive is used to defend clickjacking attacks.

    Please note that the frame-ancestors directive is part of the Content Security Policy Level 2 standard which is not yet supported by all the browsers that support Content Security Policy Level 1. If required, similar functionality can be achieved for 'legacy' browsers by setting an appropriate X-Frame-Options header.

Here is an example how an adapted property would look like.

studio.security.csp.objectSrc='self',www.exampleDomain.com

Write CSP Compliant Code

According to the default policy, inline JavaScript will not be executed. This restriction bans both inline script blocks and inline event handlers (for example onclick="..."). The first restriction wipes out a huge class of cross-site scripting attacks by making it impossible to accidentally execute scripts provided by a malicious third-party. It does, however, require a clean separation between content and behavior (which is good practice anyway). The required code changes for inline JavaScript code can be summarized as follows:

  • Inline script blocks needs to move into external JavaScript files.

  • Inline event handler definitions must be rewritten in terms of addEventListener and extracted into component code.

CSP violations can be easily discovered by monitoring the browser console. All violations are logged as errors including further details about the violation type and culprit.

Customize CSP Mode

CoreMedia Studio can run in one of four supported CSP modes.

  • ENFORCE: Full CSP protection is enabled. All directives are enforced and reported.

  • ENFORCE_ALLOW_DISABLE: Enable full CSP protection unless the disableCsp query parameter is set to 'true'. This mode is not recommended for a production environment.

  • REPORT: CSP protection is enabled in report only mode. All violations are reported using the report-uri directives configured in studio.security.csp.reportUri but the directives are not enforced. This mode is not recommended for a production environment.

  • DISABLE: CSP protection is disabled. This setting is not recommended.

The configuration is done via the studio.security.csp.mode key of the WEB-INF/application.properties property file of the Studio web application.