KoolReport's Forum

Official Support Area, Q&As, Discussions, Suggestions and Bug reports.
Forum's Guidelines

Content Security Policy #3079

Open Anthony Piracini opened this topic on on Jun 21, 2023 - 3 comments

Anthony Piracini commented on Jun 21, 2023

I am upgrading my web application to include a Content Security Policy to specifically protect against XSS and Inline Styles. There are many scripts and inline styles that are preventing koolreport from running properly. We use koolreport for reporting and many tables (DataTables)

How does one go about having a CSP and still be able to run Koolreport? Is there a guide?

From some of my tests, I was able to add a nonce value to script tags throughout Koolreport. But there were many references to inline styles - including Datatables contains style="" (inline style or blank, which is still a problem). I couldn't determine the source of the blank inline style. Then, I decided to ask for help. There could be more issues.

Sebastian Morales commented on Jun 22, 2023

You can ignore all empty inline styles. Is there any non-empty inline style that affects your reports?

Anthony Piracini commented on Jun 22, 2023

"You can ignore all empty inline styles" I cannot ignore the empty inline styles. If the style attribute is present, then the inline style CSP rule still applies. I would remove them but I can't determine where they are coming from - it's probably buried in javascript somewhere? I've seen it in DataTables if that is helpful.

"Is there any non-empty inline style that affects your reports?" Probably. If you are looking to correct the problem one inline style at a time, we could be doing a back-and-forth for a very long time. It depends on how the koolreport library was written. How many inline styles are there?

Typically in the inline style case, you would move the styles to a css file (as classes) and change the code from inline styles to class references. You would know better if this is reasonable. There are other approaches too.

And this is just addressing one CSP rule - XSS is the important one (addressing scripts).

At this point, I am looking for more of an approach and answering some bigger questions... Is it feasible to use koolreport with a CSP? if yes, what is recommended? how should we configure our CSP? Should we be disable rules (and possibly expose vulnerabilities)? have others done this too? what are "best practices"?

If I am too vague, this article does a really good job of capturing the scope - including the section "Writing JavaScript and CSS with CSP in Mind"... https://www.invicti.com/blog/web-security/content-security-policy/

Sebastian Morales commented on Jul 3, 2023

Sorry for the late reply. In the next version of Datagrid package we will remove the inline CSS rules in DataTables widget if they are empty. Is there any other widget in other packages that you want the same to apply?

Build Your Excellent Data Report

Let KoolReport help you to make great reports. It's free & open-source released under MIT license.

Download KoolReport View demo
None yet

None