Insecure Content Security Policy

  • 11 August 2022
  • 1 reply
  • 167 views

Badge +1

We received a penetration testing result from a customer that our Content Security Policy (CSP) is insecure because we use ‘unsafe-inline’ and ‘unsafe-eval’ without nonces.  We have this due to the  requirement from Heap https://developers.heap.io/docs/web#content-security-policy-csp, but I’d like to know why?  Is there anyway to get Heap to work without these source list values?


1 reply

Badge +1

I submitted a support ticket for this and received a response.  I’m posting it here for those interested.
 

We're actively investigating ways to make this option more secure, but we're not able to directly provide a nonce-based solution at this time. However, it is possible to implement a hash- or nonce-based solution on your end. The hash-based solution is the more straight-forward option, as it simply requires sending a hash of the Heap install snippet as part of your CSP. This ensures that the Heap snippet specifically can be run without enabling other inline code generally by requiring unsafe-inline. (Please note that each environment within your project will require its own hash, as an environment-specific ID is included in each envrionment's Heap install snippet.) Please note that responsibility for implementing and maintaining a nonce or hash solution does fall on your development team.
 
It's also worth reviewing that at present, there are two main components to our Content Security Policy, unsafe-inline and unsafe-eval. While unsafe-inline (or a nonce or hash solution) is currently required for heap.js to capture data, unsafe-eval can be removed if you don't mind losing access to snapshots and the Event Visualizer. One option this allows for is disabling unsafe-eval on the production site, but enabling it for a development version of the site that contains no sensitive data. This will allow definition of events on the development site in the Event Visualizer, and since defined events are shared between environments within a project, those events will be available for reporting in the production environment as well.

Reply