Content Security Policy settings

  • Posts: 94
  • Thank you received: 2
  • Hikashop Business
1 year 2 months ago #355575

-- HikaShop version -- : 4.7.5
-- Joomla version -- : 4.3.4
-- PHP version -- : 8.1

Hi there,

I'm trying to make a Content Security Policy using the wizard at a website called report-uri.com. This wizard will show you the detected items on a website. I let it ran for a week and the detected items contained a lot of 'unsafe-inline', 'unsafe-eval' directives:

default-src 'unsafe-inline'
script-src-attr 'unsafe-inline'
script-src-elem 'unsafe-inline'
script-src 'unsafe-eval'
script-src 'unsafe-inline'
style-src-attr 'unsafe-inline'
style-src-elem 'unsafe-inline'
style-src 'unsafe-inline'

In my opinion the website will remain vulnerable when whitelisting these in the CSP. Are there specific directives that should have the 'unsafe-inline' or 'unsafe-eval' expressions for Hikashop to work properly?

Thanks in advance!

Please Log in or Create an account to join the conversation.

  • Posts: 83024
  • Thank you received: 13403
  • MODERATOR
1 year 2 months ago #355579

Hi,

This wizard will show you the detected items on a website. I let it ran for a week and the detected items contained a lot of 'unsafe-inline', 'unsafe-eval' directives

Could you provide more information on each detected item ?
Because with just "default-src 'unsafe-inline'" I can't say anything useful.

In my opinion the website will remain vulnerable when whitelisting these in the CSP.

Vulnerable to what ? CSP is an extra layer of security on your website.
Not having CSP configured on your website doesn't necessarily means that your website is vulnerable to anything.
Also whitelisting things you know are safe shouldn't be a problem. For example, the hikashop.js file of HikaShop is safe as you know it comes from us. The goal is mainly to restrict the domain names from where javascript can be loaded on your pages. That way, if some hacker tries an attack where it forces your users to load a javascript file from a server of the hacker, it will fail.

Are there specific directives that should have the 'unsafe-inline' or 'unsafe-eval' expressions for Hikashop to work properly?

I don't know. Are there specific areas of HikaShop that don't work properly on your website without these directives ?

Please Log in or Create an account to join the conversation.

  • Posts: 94
  • Thank you received: 2
  • Hikashop Business
1 year 2 months ago #355717

Hi Nicolas,

Thanks for replying

Could you provide more information on each detected item ?
Because with just "default-src 'unsafe-inline'" I can't say anything useful.

The report doesn't tell from which pages the 'unsafe-inline', 'unsafe-eval' directives are coming, only that they are detected by the wizard.

Vulnerable to what ? CSP is an extra layer of security on your website.
Not having CSP configured on your website doesn't necessarily means that your website is vulnerable to anything.
Also whitelisting things you know are safe shouldn't be a problem. For example, the hikashop.js file of HikaShop is safe as you know it comes from us. The goal is mainly to restrict the domain names from where javascript can be loaded on your pages. That way, if some hacker tries an attack where it forces your users to load a javascript file from a server of the hacker, it will fail.

I'm trying to make a list of all domains used by added components, etc. that can be whitelisted. If I miss some and activate the CSP there will be a chance that the website isn't working as it should

I don't know. Are there specific areas of HikaShop that don't work properly on your website without these directives ?

Can't tell, because the CSP is in report-only mode now. In the directive 'script-src' I whitelisted cdn.hikashop.com, but don't know if this is the only domain you use and also don't know if Hikashop is using inline scripts and/or styles.

Hope you understand my questions, because the website has been checked by a security scan and they told us to activate CSP. (but not how!)

Last edit: 1 year 2 months ago by RustyHika.

Please Log in or Create an account to join the conversation.

  • Posts: 83024
  • Thank you received: 13403
  • MODERATOR
1 year 2 months ago #355724

Hi,

Ok, I see what you mean. As I said, not having CSP doesn't mean that the website is vulnerable. Having it is better as it adds an extra layer of security. If you're unsure, I would recommend making a copy of the website and activating it on the copy of the website. That way, you can do your tests and make sure that everything works with the CSP activated without impacting your website.

cdn.hikashop.com is the only domain HikaShop itself uses.
However, plugins can use other domains.
For example, the PayPal checkout payment plugin will use a JS file from paypal.com or sandbox.paypal.com
And many payment plugins do so.
Other plugins like the Google Analytics plugin, or the ReCaptcha plugin also use JS files from their respective online services.
I don't have a full list of all the files used by all the plugins we ever released, included, in HikaShop or not.

Please Log in or Create an account to join the conversation.

Time to create page: 0.059 seconds
Powered by Kunena Forum