Improving browser security with Content Security Policy
Content Security Policy (CSP) is an added layer of security in a browser that helps mitigate attacks like data injection and Cross-Site Scripting (XSS). To customize the CSP, an administrator needs to configure the web server to modify the CSP HTTP header.
However, with the CSPFilter, administrators do not need to manually configure the header. The filter automatically removes the unsafe-inline and unsafe-eval keywords from all HTTP responses.
When keywords like unsafe-inline and unsafe-eval are used,
they allow older and potentially unsafe code to run. They allow any code on the page to run,
providing attackers the opportunity to inject unsafe functions. Browser security is improved when
- The keywords unsafe-inline, and unsafe-eval are removed.
- Inline scripts and eval() expressions are removed.
- Nonces are added to valid scripts.
In IBM Content Navigator, an administrator can remove the unsafe keywords by enabling the
following JVM
options:
-Dcom.ibm.ecm.icn.system.security.csp.removeUnsafeEval=true
-Dcom.ibm.ecm.icn.system.security.csp.removeUnsafeInline=true
Developers must delete instances of inline code and eval() expressions and update the code to keep the application running. Removing unsafe-eval does not allow running any eval() statements at runtime. Any scripts that use eval(), simply display an error in the developer console.
When the removeUnsafeInline setting is set to true, Navigator removes the
unsafe-inline keyword from the header and adds the nonce automatically. When
unsafe-inline is removed, it prohibits functions like onclick
and onblur on elements from running. All script tags must contain a nonce to
allow their code to execute. Otherwise, the browser prohibits that script tag from running on the
page.
// No longer works
<script>alert(1);</script>
// Will work
<script nonce="123-abc">alert(1);</script>