8000 Security: CSP `style-src` Directive Allows `unsafe-inline` (ZAP Rule 10055) Medium · Issue #1257 · activist-org/activist · GitHub
[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
Skip to content
Security: CSP style-src Directive Allows unsafe-inline (ZAP Rule 10055) Medium #1257
New issue
New issue
Open
Bug
Open
Security: CSP style-src Directive Allows unsafe-inline (ZAP Rule 10055) Medium#1257
Bug
Labels
frontendRelates to the project frontendhelp wantedExtra attention is needed
@aasimsyed

Description

@aasimsyed
aasimsyed
opened on May 10, 2025

Terms

Behavior

Title: Security: CSP style-src Directive Allows unsafe-inline (ZAP Rule 10055)

Body:

report_md.md

Description

The ZAP automated security scan (Plugin ID 10055) has identified a medium-severity vulnerability within the Content Security Policy (CSP) configuration for https://www.activist.org/en/. Specifically, the style-src directive includes the 'unsafe-inline' keyword, which permits the execution of inline styles. This can increase the risk of Cross-Site Scripting (XSS) if an attacker can inject malicious style attributes or tags.

Vulnerability Details

  • ZAP Plugin ID: 10055
  • CWE ID: 693 (Protection Mechanism Failure)
  • WASC ID: 15
  • Severity: Medium
  • URL(s) Affected: https://www.activist.org/en/ (and potentially other pages site-wide)
  • HTTP Method: GET
  • Parameter/Header: Content-Security-Policy

Observed CSP Header (from ZAP Evidence):

base-uri 'none';
font-src 'self' https: data:;
form-action 'self';
frame-ancestors 'self';
img-src 'self' data: blob:;
object-src 'none';
script-src-attr 'none';
style-src 'self' https: 'unsafe-inline';
script-src 'self' https: 'unsafe-inline' 'strict-dynamic'
  'sha256-UF0+4wi31il2zSoH7bScbr9k2Wd6ctrBUoRctkr/xw8='
  'sha256-kjYU7oJrfxJSKQ8muVBxhDxo3hEVNK61RlzFYSc0+Pw='
  'sha256-zrMkqwmFiDMh5HQ3TK/SdamqwXXwMZ7DL6mgURMsmho='
  'sha384-Z/t9v8FLvNAiKc
78FD
VfCYb7+1vNl7S01OK/e81Hg128cavj4aNvNz+jWSntpzjNYdiQ'
  'sha256-7QIjPOpXT97VD5NmIGqI7WTiAFunWN1i1ifDHVp5i+g=';
upgrade-insecure-requests;

Specific Issue Highlighted by ZAP ("Other Info"):

  • style-src includes unsafe-inline.

Impact

Allowing 'unsafe-inline' for styles means that any inline <style> blocks or style="..." attributes will be processed by the browser. If an attacker can find a way to inject arbitrary style tags or attributes (e.g., through an XSS vulnerability that allows HTML injection), they could potentially:

  • Deface the website.
  • Obscure or overlay legitimate content to trick users (phishing).
  • In some older browsers or specific scenarios, execute JavaScript via CSS expressions (though this is largely mitigated in modern browsers).
  • Extract sensitive information using carefully crafted CSS selectors and exfiltration techniques (e.g., attribute value exfiltration).

While modern browsers have protections against some CSS-based attacks, relying on 'unsafe-inline' weakens the defense-in-depth provided by CSP.

Recommended Steps

  1. Prioritize Removal of 'unsafe-inline' from style-src:
    • Move Styles to External CSS Files: The most secure approach is to move all styles into separate .css files and link them. These are then allowed by 'self' or specific FQDNs in style-src.
    • Use Hashes for Static Inline Styles: If some inline <style> blocks are unavoidable and static, calculate their SHA256/384/512 hash and add it to the style-src directive. Example: style-src 'self' 'sha256-yourHashGoesHere=';
    • Use Nonces for Dynamic Inline Styles: If inline styles are dynamically generated and change per request, generate a unique nonce for each request, add it to the style-src directive (e.g., style-src 'self' 'nonce-yourRandomNonce';), and include the same nonce in the <style nonce="yourRandomNonce">...</style> tag. django-csp can assist with nonce generation.
  2. Update Django Configuration:
    • Modify the CSP_STYLE_SRC setting in backend/core/settings.py to remove 'unsafe-inline' and include the chosen alternative (e.g., hashes, nonces, or just 'self' and trusted FQDNs if all styles are externalized).
  3. Thorough Testing:
    • After applying changes, meticulously test the visual appearance and functionality of all pages on the site.
    • Check the browser's developer console for any CSP violations related to styles.
  4. Consider Report-Only Mode:
    • Initially, you can set CSP_REPORT_ONLY = True and CSP_REPORT_URI in your Django settings to monitor for violations caused by the stricter style-src policy without actually breaking the site's appearance.
  5. Re-scan:
    • Perform another ZAP scan (or similar security scan) to confirm the style-src 'unsafe-inline' issue is remediated.

References

Environment

  • Application Backend: Django
  • CSP Library (intended/used): django-csp

Labels: security, bug, CSP, style-src, unsafe-inline, medium-severity, ZAP-scan

Metadata

Metadata

Assignees

No one assigned

    Labels

    frontendRelates to the project frontendhelp wantedExtra attention is needed

    Type

    Projects

    activist Board

    Status

    Todo

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      0