CSP for the Loginapp based on JSPs: Required modifications

Custom JSPs

In order for the default CSP to work with custom JSPs, modifications are required in the following cases:

  • The custom JSPs contain <script> tags
  • The custom JSPs contain inline JavaScript event handlers, such as onload, onsubmit, etc
  • The custom JSPs violate the IAM default CSP (modifications may be required)

Modifications for <script> tags

A nonce must be applied to all script tags.

Given script tags without a nonce, e.g.:

<script type="text/javascript"> (...) </script>
<script src=(...) ></script>

The modification is as follows:

<script nonce="${requestScope.cspNonce}" type="text/javascript"> (...) </script>
<script nonce="${requestScope.cspNonce}" src=(...) ></script>

Adding a nonce to a <script> tag is a whitelisting process: When performing this whitelisting, it must be ensured that the script content is not vulnerable to XSS code injection.

Modifications for inline JavaScript event handlers

Inline JavaScript event handlers cannot be nonced and will therefore be blocked by browsers that support CSP.

Suppose the following event handler is given:

<form name="SOMEFORM" method="POST" action="login" onsubmit="return someFunction();" id="mainform">
 	(...)
</form>

It can be refactored as follows to work with the default CSP:

<form name="SOMEFORM" method="POST" action="login" id="mainform">
 	(...)
</form>
<script nonce="${requestScope.cspNonce}" type="text/javascript"> 
	$("#mainform").on('submit', function () {return someFunction();}); 
</script>

If the JSPs violate the IAM default policy

The IAM default policy may be violated, e.g., if the JSPs include resources from other hosts. In these cases, either the JSPs must be modified or the default policy must be adapted, please refer to 'Configuration'.

IAM is embedded in an iFrame

The frame-ancestors directive must be relaxed to allow the host that frames IAM.

Known use cases requiring CSP customization

In the following cases the default CSP (see 'Configuration') must be adapted

Limitations

  • The Airlock Gateway (WAF) "CSRF Tokens" feature does not support CSP nonces before Airlock WAF version 7.3. We recommend updating to Airlock WAF 7.3 or higher and enabling both the CSP features on IAM and the "CSRF Tokens" feature on the Gateway (WAF) mapping for IAM. If an update to Airlock WAF 7.3 is currently not possible, we recommend temporarily disabling the Gateway (WAF) "CSRF Tokens" feature and re-enabling it after the Airlock Gateway (WAF) update.
  • CSPs are enforced by the browser, and the browser support for CSP varies a lot. In particular, some browsers do not support the most recent CSP version, or have no CSP support at all, see [4]. In these cases, a CSP may have no effect at all. The CSP Evaluator [5] can be used to show what guarantees are provided by browsers supporting a given CSP version.