Cannot apply require-trusted-types-for 'script' Content-Security-Policy
#985
Comments
tojaroslaw
changed the title
require-trusted-types-for: 'script' Content-Security-Policyrequire-trusted-types-for 'script' Content-Security-Policy
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Our SOC-2 auditor identified a vulnerability risk with our content security policy because we didn't have explicit list of
trusted-typesin our application's Content-Security-Policy. In theory, if a 0-day exploit was found, someone could inject malicious javascript into the page and the Content-Security-Policy would block ordinary users from seeing it unless they manually edited the local response headers. The CSP acts as a last line of defense against XSS.The usual fix is to add
require-trusted-types-for 'script'to our CSP, find which elements it is blocking and whitelist them. However, this does not work on the docs page because the elements rendered by the Swagger Docs do not have atrustedTypeassociated with them to whitelist.We do not have a lot of frontend resources available at the moment, so wrapping everything in the frontend code in our own trusted types would be a heavy lift as a workaround. What I would like is for the swagger components to have their own trustedType(s) that I can whitelist on the
trusted-typessection of the CSP so the docs page will actually render instead of looking like this:The text was updated successfully, but these errors were encountered: