Concern about the Unsafe inline and unsafe-eval CSP headers Vulnerability about Missing Authentication of public URLs

IM 14.5

Justification about the Missing Authentication of public URLs.

 Please find the details below.

Missing authentication for files (JS/CSS/img)

           Ex :   ..../iam/im/ui//ca-css/css/button.css
                   ....../iam/im/ui/skin/idm//stylesheet/castyles-override.css
                  ......../iam/im/ui/skin/idm/image/tasks/redo.png

    
These are all static pages there is no harm to access them publicly. We have our reason not to have authentication for those JS/CSS/img. there is SiteMinder integration for authentication then IM static pages should be used from Site minder. There are a few customers who customize the IM UI but use a few CSS/IMG from these static pages only.
 

As per IM design, we left them to access outside as there is a need in some use cases. This is one kind of implementation. We cannot simply compare with other products while testing(pen test).