Not sure if you have an updated version of this thumbprint script but the script provided in the Sample App that calculates the device thumbprint for the IARISK engine relies on JS eval which is blocked by the standard Angular CSP
Can you please let us know if there is a version available that is resolving this issue?
That is a customer configuration and script usage task.
- Appropriate settings in the customer application server to serve the appropriate CSP policy in the HTTP response headers or HTML meta-data.
The minimal policy required for brand-new Angular is:
default-src 'self'; style-src 'self' 'unsafe-inline';
As noted in the Angular documentation:
Angular itself requires only these settings to function correctly. As your project grows, you may need to expand your CSP settings to accommodate extra features specific to your application.
So you need to expand your CSP setting to accommodate the extra features provided by the IaDfp script.
default-src 'self' 'unsafe-eval'; style-src 'self' 'unsafe-inline';
Here is an example of a CSP with a nonce "xyzzy" (the actual value doesn't matter, it should just be something unique):
default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'nonce-xyzzy' 'unsafe-eval';
This only allows unsafe eval for the script marked with the given nonce.
Additionally, the IA integration guide discusses some usages of IaDfp in calling pages where inline scripts are used.
Generally, inline scripts are prevented when a CSP is provided.
To allow the inline scripts to work, you can also place a nonce value in the script tag and reference it in the CSP.
Here is a complete example, to test the policy.
To run this test, I set the following CSP policy as the response header (make sure not to set it as the request header) using the Chrome mod header plugin:
Content-Security-Policy: default-src 'self'; style-src 'self' 'unsafe-inline'; script-src 'nonce-frobozz' 'nonce-xyzzy' 'unsafe-eval';
And I served the following HTML page (and the accompanying iadfp_1.3.js script) from a local web server, which resulted in correct fingerprint generation.
<title>Fingerprint data collection test</title>
<script src="iadfp_1.3.js" nonce="xyzzy"></script>
document.getElementById("fingerprint").innerHTML = IaDfp.readFingerprint()
Why this approach is likely OK
The CSP with google site provides advice on CSP settings and usage:
Regarding 'unsafe-eval', it states:
'unsafe-eval' allows the application to use the
eval(), you can remove this keyword and have a safer policy.
However, we do use and require eval, so if CSP is used, this setting must be set.
The CSP with google site notes that when applied with a nonce and other recommended CSP policy settings, usage 'unsafe-eval' policy is appropriate as part of:
A production-quality strict policy appropriate for most applications.
Content Security Policy (CSP) is a defense-in-depth technique to prevent XSS