API Developer Portal - CSP Header containing script-src 'self' 'unsafe-inline'

search cancel

API Developer Portal - CSP Header containing script-src 'self' 'unsafe-inline'

book

Article ID: 412104

calendar_today

Updated On:

Products

CA API Developer Portal

Issue/Introduction

The API Portal pages have a Content Security Policy (CSP) configured with script-src 'self' 'unsafe-inline' 'unsafe-eval', which is commonly considered an insecure configuration

Refer to the links below:

https://content-security-policy.com/unsafe-inline/

https://csp.withgoogle.com/docs/strict-csp.html

Such a combination of options might potentially allow injecting an inline script to run alongside the URL and thus is an insecure combination.

For example, when opening the Application details page, the URI,

/admin/api-management/internal/OrganizationApiGroups?orgUuid=00000000000000a&skipStatusCheck=true&size=12&page=0&name=

Returns the HTTP headers with:

Content-Security-Policy: default-src 'self' https:; img-src * data:; media-src https://layer7.saas.broadcom.com; font-src 'self' data:; script-src 'self' 'nonce-bb0931c74f15763ad9235ee18314239' 'sha256-mHqJ2kiIcxy7sZRMT6xyghoqRTTIlh2Mm71FawcH/bg='; style-src * 'unsafe-inline' https://google-code-prettify.googlecode.com/svn/loader/prettify.css; connect-src 'self' https:; object-src 'none'; frame-src 'self'; frame-ancestors 'self'

Is the Portal is affected by this?

Environment

All supported versions of API Developer Portal

Resolution

Portal is not affected by these headers. The script-src:'self' combined with nonce and hash only allows legitimate scripts.

The unsafe-inline for styles and not scripts

Feedback

thumb_up Yes

thumb_down No