Allow using Content-Security-Policy without unsafe-inline
Posted: Fri Sep 14, 2018 7:04 am
This is a copy and paste report that I had submitted to the security tracker here. Derky closed it as an invalid security issue and suggested that I post my findings here.
This post is in relation to the following issue #39941 listed (and approved) for the upcoming WordPress 5.0 release:
It also applies to phpBB as well. Please consider a similar fix as the one in the link above.
Using an nginx.conf file, adding the following prevents XSS attacks:
add_header Content-Security-Policy "script-src 'self'";
But that also causes an issue with one being the inability to create database backups in the ACP. The only way to get around this is to add the following code, which allows XSS attacks to occur on a site:
add_header Content-Security-Policy "script-src 'self' 'unsafe-inline'";
I will use https://securityheaders.com/ as a reference point to show why. When a website is found to use 'unsafe-inline' in the Content-Security-Policy, specifically for the "script-src", this is the message it returns:
This policy contains 'unsafe-inline' which is dangerous in the script-src directive.
When 'unsafe-eval' is used, it returns the following:
This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
When 'unsafe-inline' and 'unsafe-eval' are both used, it returns the following:
This policy contains 'unsafe-inline' which is dangerous in the script-src directive. This policy contains 'unsafe-eval' which is dangerous in the script-src directive.
I would like to remove 'unsafe-inline' from my script-src but can't at the moment without losing the ability to make database backups in the ACP. Removing it may cause other issues as well, but I haven't found anything else yet. If a similar plugin or modification similar to the one being proposed on WordPress's website (link at top) were to be used in phpBB, everyone would be able to remove 'unsafe-inline', thus protecting their sites (and forums) from XSS attacks.