Permissive Content Security Policy Detected

low Web App Scanning Plugin ID 112554

Synopsis

Permissive Content Security Policy Detected

Description

Content Security Policy (CSP) is a web security standard that helps to mitigate attacks like cross-site scripting (XSS), clickjacking or mixed content issues. CSP provides mechanisms to websites to restrict content that browsers will be allowed to load.

One or several permissive directives have been detected. See output for more details.

Solution

The following directive configurations can be applied to have a safe content security policy:

- 'frame-ancestors' should be set to 'none' to avoid rendering of page in <frame>, <iframe>, <object>, <embed>, or <applet>.
- 'form-action' should be explicitly set to 'self' to restrict form submission to the origin which the protected page is being served.
- 'upgrade-insecure-requests' and 'block-all-mixed-content' should be set to avoid mixed content (URLs served over HTTP and HTTPS) on the page.
- Any of the 'unsafe-*' directives indicate that the action is considered unsafe & it is better to refactor the code to avoid using HTML event handlers that rely on this.
- data: https: http: URI in 'default-src', 'object-src', 'base-uri' & 'script-src' allow execution of unsafe scripts and should not be set.
- * and *.* in 'script-src' and other '-src' directives allows execution of unsafe scripts and should be restricted.
- 'default-src' should be explicitly set to 'self' or 'none' and individual directives required for each source type set more permissively as required
- * and *.* in 'default-src' allows various unconfigured parameters to default to a unsafe configuration and then should not be set.
- none, unsafe-eval, unsafe-inline and self keywords require wrapping with single quotations to be valid
- 'object-src' should be explicitly set to 'none' to avoid execution of unsafe scripts.

If these directives are required for business continuity in your environment, apply mitigating controls suitable for your environment and work with the vendors of the products for which these directives are required.

See Also

https://content-security-policy.com/

https://csp-evaluator.withgoogle.com/

https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

https://developers.google.com/web/fundamentals/security/csp/

Plugin Details

Severity: Low

ID: 112554

Type: remote

Published: 2/26/2019

Updated: 3/25/2024

Scan Template: basic, config_audit, full, overview, pci, quick, scan

Risk Information

VPR

Risk Factor: Low

Score: 1.4

CVSS v2

Risk Factor: Low

Base Score: 2.6

Vector: CVSS2#AV:N/AC:H/Au:N/C:P/I:N/A:N

CVSS Score Source: Tenable

CVSS v3

Risk Factor: Low

Base Score: 3.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS Score Source: Tenable

Reference Information