Content Security policy containing script-src 'self' 'unsafe-inline' 'unsafe-eval'
search cancel

Content Security policy containing script-src 'self' 'unsafe-inline' 'unsafe-eval'

book

Article ID: 261001

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Running the Developer tools while connecting to CA PAM reveals that the login.jsp has a Content Security Policy (CSP) configured with script-src 'self' 'unsafe-inline' 'unsafe-eval' which is commonly considered an insecure configuration

In particular the following links

https://content-security-policy.com/unsafe-inline/

https://csp.withgoogle.com/docs/strict-csp.html

Suggest that such combination of options might potentially allow someone to inject an inline script to run alongside the url and thus is an insecure combination

Environment

CA PAM all releases

Resolution

CA PAM encodes all the user data entered and shown in the UI. This is enough to prevent XSS and eliminate the possible problem coming from this combination of options.