Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-5728

Disabling content security policy fetch directives is security-sensitive

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure not enabling content security policy fetch directives is safe here.
    • Default Severity:
      Minor
    • Impact:
      Low
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      ABAP, APEX, C#, C, C++, Cobol, CSS, Flex, Go, HTML, Java, JavaScript, Kotlin, Objective-C, PHP, PL/I, PL/SQL, Python, RPG, Ruby, Rust, Scala, Solidity, Swift, T-SQL, TypeScript, VB.Net, VB6, XML
    • Remediation Function:
      Linear
    • Linear Argument Description:
      60min
    • Analysis Level:
      Control-flow Analysis
    • Analysis Scope:
      Main Sources
    • OWASP:
      A6

      Description

      Content security policy (CSP) (fetch directives) is a W3C standard which is used by a server to specify, via a http header, the origins from where the browser is allowed to load resources. It can help to mitigate the risk of cross site scripting (XSS) attacks and reduce privileges used by an application. If the website doesn't define CSP header the browser will apply same-origin policy by default.

      Content-Security-Policy: default-src 'self'; script-src ‘self ‘ http://www.example.com
      

      In the above example, all resources are allowed from the website where this header is set and script resources fetched from example.com are also authorized:

      <img src="selfhostedimage.png></script> <!-- will be loaded because default-src 'self'; directive is applied  -->
      <img src="http://www.example.com/image.png></script>  <!-- will NOT be loaded because default-src 'self'; directive is applied  -->
      <script src="http://www.example.com/library.js></script> <!-- will be loaded because script-src ‘self ‘ http://www.example.comdirective is applied  -->
      <script src="selfhostedscript.js></script> <!-- will be loaded because script-src ‘self ‘ http://www.example.com directive is applied  -->
      <script src="http://www.otherexample.com/library.js></script> <!-- will NOT be loaded because script-src ‘self ‘ http://www.example.comdirective is applied  -->
      

      Ask Yourself Whether

      • The resources of the application are fetched from various untrusted locations.

      There is a risk if you answered yes to this question.

      Recommended Secure Coding Practices

      • Implement content security policy fetch directives, in particular default-src directive and continue to properly sanitize and validate all inputs of the application, indeed CSP fetch directives is only a tool to reduce the impact of cross site scripting attacks.

      See

        Attachments

        1.
        JavaScript RSPEC-5729 Language-Specification Active Unassigned
        2.
        Java RSPEC-5875 Language-Specification Active Unassigned

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              eric.therond Eric Therond
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: