Content Security Policy enhancement request to enable full compliance

Mozilla has an observatory.mozilla.org site to test web sites for complaince with security requirements. The HTTP Content Security Policy header can be added to specify a policy. Modern web sites are expected to use solely safe methods and the policy should be as strict as possible. Governments and third parties often require adherence to best practice security standards.

Default owncloud setting:
default-src 'none';manifest-src 'self';script-src 'self' 'unsafe-eval';style-src 'self' 'unsafe-inline';img-src 'self' data: blob:;font-src 'self';connect-src 'self';media-src 'self'

There are two problematic settings:
script-src 'unsafe-eval'
style-src 'unsafe-inline'

These settings work, but they reduce the level of security because they would not block XSS attacks.

Is it possible to change the code to eliminate unsafe-* policies?

Documentation:
https://infosec.mozilla.org/guidelines/web_security#content-security-policy
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy

Hey,

i did the following search https://github.com/owncloud/core/search?q=unsafe-eval&type=Issues in the ownCloud bugtracker and found this open issue which seems to me related to your question:

If it is not related then i think you could open a new feature request and ask the ownCloud team if it is possible to change the code to eliminate these unsafe policies.

Thanks for finding that. Yes, it is related, that issue is about use of eval (unsafe-eval in csp) in scripts. My request also includes unsafe-inline. Both are important for protection in case of an attack.

Without these specific settings in CSP, the site visibly does not work properly, e.g. no files are shown and at login, a cloud image turns black. Firefox ESR CSP blocks scripts and css inlines in the background, F12 shows warnings.