Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
mdb.js and mdb.min.js not CSP friendly
See original GitHub issueExpected behavior
For mdbootstrap to run without triggering either style-src nor script-src Content Script Policy issues.
Actual behavior
When using either mdb.js or mdb.min.js I am getting the following CSP errors (2 errors) please note the location is different in the min file (obviously). Please note this is a script triggering a style policy.
Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU=’), or a nonce (‘nonce-…’) is required to enable inline execution.
injectCSS @ mdb.js:11035 initialize @ mdb.js:11052 7.10 @ mdb.js:1985 s @ mdb.js:264 e @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264
AND
Refused to apply inline style because it violates the following Content Security Policy directive: “style-src ‘self’ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/”. Either the ‘unsafe-inline’ keyword, a hash (‘sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o=’), or a nonce (‘nonce-…’) is required to enable inline execution.
injectCSS @ mdb.js:11038 initialize @ mdb.js:11052 7.10 @ mdb.js:1985 s @ mdb.js:264 e @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264
Your working environment and MDB version information
Google Chrome 64.0.3282.186 64 bit on Windows 10 x64.
Resources (screenshots, code snippets etc.)
My CSP header is: Content-Security-Policy:default-src ‘self’; script-src https://az416426.vo.msecnd.net ‘self’ nonce-59ac6802cb324e1ea2116cca8876e361; style-src ‘self’ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/; font-src ‘self’ https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/; object-src ‘none’; frame-ancestors ‘none’; sandbox allow-forms allow-same-origin allow-scripts; base-uri ‘self’; upgrade-insecure-requests;
The script tag is:
<script type="text/javascript" src="~/lib/mdb-free/js/mdb.js"></script>
I have tried adding a nonce to the script tag and also including the location as a safe location. Neither works and after understanding CSP better I now know it should not. Because mdb is inserting style inline this should fail. A different, safer approach, is needed. A possible solution may be found in this SO answer: https://stackoverflow.com/a/27088213/214020
Apologies for not submitting a pull request but I am already too far behind on my project.
Issue Analytics
- State:
- Created 6 years ago
- Reactions:1
- Comments:9
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
@JStrebeyko It’s September, contact the Web Application Security Working Group if your team needs some help.
If your team does not grasp the severity and scope of this problem, read this, and these.
CSP, unsafe-inline, unsafe-eval, style-src, script-src, querySelector, htc, scriptlet, styling inside JavaScript, JavaScript inside CSS, Cross-site scripting, XSS, mdbootstrap, mdb.js, mdb.min.js, bootstrap, jQuery, Angular, React, Vue
Whats up with this? This is really problematic, mdb.min.js violates both unsafe-inline and unsafe-eval scp methods!