Remediate CSP Security Vulnerability Reported by EdgeScan #145
Description
Overview
EdgeScan has reported a security vulnerability with our Content Security Policy (CSP) configuration, specifically concerning the style directives that currently allow for untrusted style execution. The present CSP appears as:
default-src https: 'unsafe-eval' 'unsafe-inline' www.googletagmanager.com; img-src 'self' www.googletagmanager.com data:; script-src 'self'
Vulnerability Details
- The use of
'unsafe-inline',data:URLs, and global wildcards in style directives exposes the application to style-based data exfiltration attacks. - EdgeScan's recommended remediation:
- "Mitigate style-based data exfiltration by avoiding 'unsafe-inline', data: URLs, and global wildcards in style directives. Use a secure, random nonce of at least 8 characters 'nonce-RANDOM' in the relevant directive."
Task
- Explore safe solutions to mitigate CSP vulnerabilities related to styles.
- Update our CSP to avoid
'unsafe-inline',data:, and wildcards in style directives. - Integrate a secure, random nonce (at least 8 characters) for inline styles if necessary.
- Ensure continued support for Google Tag Manager without compromising security.
- Reference: Google Tag Manager and CSP Guidance
Acceptance Criteria
- Review and document potential secure CSP configurations that address the reported vulnerability.
- Advise on any code or configuration changes required.
- Provide guidance for maintaining GTM functionality within a secure CSP framework.
- Ensure that https://ownercommunity.org passes the security headers check at https://securityheaders.com/ with an A grade.