mdbootstrap
mdb.js and mdb.min.js not CSP friendly
Expected behavior
For mdbootstrap to run without triggering either style-src nor script-src Content Script Policy issues.
Actual behavior
When using either mdb.js or mdb.min.js I am getting the following CSP errors (2 errors) please note the location is different in the min file (obviously). Please note this is a script triggering a style policy.
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/". Either the 'unsafe-inline' keyword, a hash ('sha256-47DEQpj8HBSa+/TImW+5JCeuQeRkm5NMpJWZG3hSuFU='), or a nonce ('nonce-...') is required to enable inline execution.
injectCSS @ mdb.js:11035 initialize @ mdb.js:11052 7.10 @ mdb.js:1985 s @ mdb.js:264 e @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264
AND
Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self' https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/". Either the 'unsafe-inline' keyword, a hash ('sha256-OTeu7NEHDo6qutIWo0F2TmYrDhsKWCzrUgGoxxHGJ8o='), or a nonce ('nonce-...') is required to enable inline execution.
injectCSS @ mdb.js:11038 initialize @ mdb.js:11052 7.10 @ mdb.js:1985 s @ mdb.js:264 e @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264 (anonymous) @ mdb.js:264
Your working environment and MDB version information
Google Chrome 64.0.3282.186 64 bit on Windows 10 x64.
Resources (screenshots, code snippets etc.)
My CSP header is: Content-Security-Policy:default-src 'self'; script-src https://az416426.vo.msecnd.net 'self' nonce-59ac6802cb324e1ea2116cca8876e361; style-src 'self' https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/css/; font-src 'self' https://maxcdn.bootstrapcdn.com/font-awesome/4.7.0/fonts/; object-src 'none'; frame-ancestors 'none'; sandbox allow-forms allow-same-origin allow-scripts; base-uri 'self'; upgrade-insecure-requests;
The script tag is:
<script type="text/javascript" src="~/lib/mdb-free/js/mdb.js"></script>
I have tried adding a nonce to the script tag and also including the location as a safe location. Neither works and after understanding CSP better I now know it should not. Because mdb is inserting style inline this should fail. A different, safer approach, is needed. A possible solution may be found in this SO answer: https://stackoverflow.com/a/27088213/214020
Apologies for not submitting a pull request but I am already too far behind on my project.
Hi there, thanks for letting us know. The team shall be deciding upon this matter.
Any update on this? It makes it impossible to use mdbootstrap on any site where you care about your users security.
The security-related issues require careful handling. Be advised any updates on the issue will be included into this thread.
Have you had a chance to discuss and decide on an approach for handling this yet? Thanks.
Whats up with this? This is really problematic, mdb.min.js violates both unsafe-inline and unsafe-eval scp methods!
@JStrebeyko It's September, contact the Web Application Security Working Group if your team needs some help.
If your team does not grasp the severity and scope of this problem, read this, and these.
CSP, unsafe-inline, unsafe-eval, style-src, script-src, querySelector, htc, scriptlet, styling inside JavaScript, JavaScript inside CSS, Cross-site scripting, XSS, mdbootstrap, mdb.js, mdb.min.js, bootstrap, jQuery, Angular, React, Vue
guys whats up with this, we cant get an A+ rating on SecurityHeaders.io without the CSP unsafe inline fixed in mdb.js. it looks like its only a 2 functions
can I submit for PR?
@JStrebeyko its a few lines of code that need addressed.
As paying pro customers, can we kindly get an update?
