Hi,
We have a number of customers looking at our solution that leverages portal js. However some are doing their own pen test / web application testing and the unsafe-inline and unsafe-eval csp direct is coming up.
The main issue are the inline scripts……one solution is to move all scripting to a separate resource file……so then there is NO inline scripts and we can lock this down with the content seuciryt policy.
Any thoughts on how we can address this?
Thanks!!!
Oscar Sadder | Project Director – PowerObjects an HCL Company | Office: 612.339.3355 | Email: Oscar.sadder@HCL-PowerObjects.com
::DISCLAIMER::
The contents of this e-mail and any attachment(s) are confidential and intended for the named recipient(s) only. E-mail transmission is not guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, arrive late or incomplete, or may contain viruses in transmission. The e mail and its contents (with or without referred errors) shall therefore not attach any liability on the originator or HCL or its affiliates. Views or opinions, if any, presented in this email are solely those of the author and may not necessarily reflect the views or opinions of HCL or its affiliates. Any form of reproduction, dissemination, copying, disclosure, modification, distribution and / or publication of this message without the prior written consent of authorized representative of HCL is strictly prohibited. If you have received this email in error please delete it and notify the sender immediately. Before opening any email and/or attachments, please check them for viruses and other defects.
Hello,
Could you please specify - how we can reproduce the issue on our side?
What platform are you talking about?
Thanks, Serge
SurveyJS Team
Hi,
I am adding @Saswat Gorkhali for more information.
Hi,
Please refer to this blog to learn more about Content Security Policy:https://developers.google.com/web/fundamentals/security/csp
You can reproduce this on your end by adding the content security policy to the web config of your server where you host survey JS. You will notice that if you skip “unsafe-eval” in the CSP, survey js will stop working. I think it’s because survey js might be using eval() functions and other functions that CSP regards harmful.
From: Oscar A Sadder <oscar.sadder@hcl-powerobjects.com> Sent: Thursday, December 19, 2019 9:24 AM To: Support Support <support@surveyjs.io>; Saswat Gorkhali <saswat.gorkhali@hcl-powerobjects.com> Subject: RE: Survey.JS - Pen Test Results [T3125]