Reputation: 532
How to safely combine script-src with known JSONP endpoint hosters like syndication.twimg.com?
I'm playing with Content Security Policy for a page with embedded tweets and I'm getting reports for https://cdn.syndication.twimg.com, which isn't allowed in my policy.
It's a pretty long policy but the relevant parts are
default-src 'none'; ... script-src 'self' apis.google.com platform.twitter.com; ...
However, if I add cdn.syndication.twimg.com or *.twimg.com to the script-src part of the header, I get a warning when I run the header through the Google CSP evaluator:
cdn.syndication.twimg.comis known to host JSONP endpoints which allow to bypass this CSP.
Some other domains also provoke this warning.
It seems that I'm between a rock and a hard place: either I disallow Twitter from running scripts (needed? I really don't know) and get policy violation reports, or I'm running with a pretty much useless CSP.
Is there a way out of this conundrum?
Upvotes: 5
Views: 2773
Answers (1)
Reputation: 9333
The validator does not complain if you change script-src to script-src-elem.
I suspect this is a bug in the validator rather than a fix to the reported vulnerability. Open JSONP endpoints are equally exploitable with either CSP stanza.
Upvotes: 1
Related Questions
- Online JSONP converter/wrapper
- Securing JSONP?
- JSONP secure-connection workaround
- How do I circumvent the same origin policy using JSONP and JQuery?
- getJSON remote request without JSONP - Server
- Use jsonp from javascript code
- Cross-domain scripting using jQuery.support.cors = true
- Complex cross domain scripting
- Automatic usage of jsonp for cross domain ajax requests
- Security Issues with JSONP in jQuery