KoolReport's Forum

Official Support Area, Q&As, Discussions, Suggestions and Bug reports.
Forum's Guidelines

Security concerns regarding the use of unsafe-eval and unsafe-inline #3287

Open GHSix opened this topic on on May 13 - 5 comments

GHSix commented on May 13

Our client’s security team has requested the removal of “unsafe-eval” and “unsafe-inline” directives from the “Content-Security-Policy” header to enhance protection against XSS attacks, among other vulnerabilities.

When the CSP header includes something like “default-src ‘self’ ‘unsafe-eval’ ‘unsafe-inline’”, it permits the execution of JavaScript code from unsafe sources, thereby increasing the risk of XSS attacks. This encompasses functions like eval(), inline scripting and styling, among others. You can find more information on this topic here https://csp.withgoogle.com/docs/strict-csp.html and here https://content-security-policy.com and here https://0xn3va.gitbook.io/cheat-sheets/web-application/content-security-policy.

Is that possible to secure headers with Koolreport Dashboard?

Thank you for taking the time to understand our needs and for your efforts in providing clarification.

Best regards.

GHSix commented on May 17

This issue is directly linked to our ability to continue using Koolreport, so please let me know if my question is unclear in any way.

Thank you in advance

GHSix commented on May 28

Please, I really need an official response from Koolreport team regarding this security subject. If it's not possible to use a strict CSP with Koolreport Dashboard right now, is there any plans to make it CSP compatible?

Thank you.

KoolReport commented on May 29

Hi GHSix,

Please post me your current CSP meta tag.

I would like to examine the case.

GHSix commented on May 30

Hi. Thank you for taking the time to take a look at this issue.

My current CSP is as follows:

Content-Security-Policy: default-src 'self' 'unsafe-inline' 'unsafe-eval' *.ghsix.com.br *.googleapis.com *.gstatic.com data:; img-src * data:; font-src 'self' fonts.googleapis.com fonts.gstatic.com data:; frame-ancestors 'self' *.ghsix.com.br

As soon as I remove the unsafe-eval and unsafe-inline and reload the Dashboard, I got lots of errors like this one on the login screen with a never ending loading icon over the login form:

[Script Loader] EvalError: Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script in the following Content Security Policy directive: "default-src 'self' *.ghsix.com.br *.googleapis.com *.gstatic.com data:".

    at eval (<anonymous>)
    at e.exports (appstack.js:1:4837)
    at Object.<anonymous> (appstack.js:812:207391)
    at t (appstack.js:1:110)
    at Module.<anonymous> (appstack.js:48815:32271)
    at t (appstack.js:1:110)
    at appstack.js:1:900
    at appstack.js:1:911

GHSix commented 22 hours ago

Hi KoolReport,

Any updates?

Build Your Excellent Data Report

Let KoolReport help you to make great reports. It's free & open-source released under MIT license.

Download KoolReport View demo
help needed