CA Identity Portal Vulnerability CSP policy on IdentityPortal /sigma/app/index
Article ID: 403271
Updated On:
Products
Issue/Introduction
The VA scan, Content Security Policy, was found missing from the Identity Portal(VAPP).
Even though the CSP Policy was implemented at the Web Access Firewall level, with the following values
"default-src 'self' 'unsafe-eval' 'unsafe-hashes' 'unsafe-inline' data: blob
Environment
Vapp 14.5.1 CHF1
Cause
The latest VA scan detected the usage of unsafe tags "unsafe-eval" and "unsafe-inline".
Resolution
The current IP UI technology depends on certain 3rd party libraries (i.e. AngularJS), and their core implementation doesn't support configuring CSP headers. We are planning to migrate AngularJS to Angular in the future. But it will not happen immediately or near future.
The options are turned on by default in Identity Portal. You can check this using the following steps.
Open the Identity Portal
Press F12 to open Developer Tools.
Go to the Network tab.
Reload the page and select the main request (usually the root path or login).
In the Headers tab, under Response Headers, look for:
X-Frame-Options: SAMEORIGIN
X-XSS-Protection: 1; mode=block
This confirms they are set in HTTP responses.
Feedback
