Whats wrong with my CSP? Content Security Policy (CSP) implemented unsafely

Question

I have the following csp embedded in my aws instance, however it doesn't seem to be properly configured, when I scan via Mozilla Observatory, I get the following message: Content Security Policy (CSP) implemented unsafely.

        Header set Content-Security-Policy "default-src 'unsafe-inline' https://vlibras.gov.br https://*.chargebee.com https://*.chargebeeportal.com https://*.cloudfront.net https://*.jobconvo.com https://*.amazonaws.com https://www.google-analytics.com https://jobconvo.freshdesk.com https://assets.freshdesk.com https://*.googleapis.com https://gitcdn.github.io https://*.youtube.com https://*.gstatic.com https://*.doubleclick.net https://www.google.com/recaptcha/ https://www.google.com object-src data: 'unsafe-eval' blob: 'unsafe-eval' font-src: 'self' data;"

After studying a little, am I right to think that the problem is in the unsafe-inline parameter? If so how can I get around this since I already have embedded HTML in onClick ()

Answer 1

Firstly, your CPS has a fatal errors - you missed ; between directives and used a wrong directives name like 'font-src:'.

Mozilla Observatory assumes CSP unsafe, because of use unsafe tokens 'unsafe-eval' and 'unsafe-inline' in in script-src/default-src.

I already have embedded HTML in onClick ()

To avoid 'unsafe-inline' you can use addEventListener("click", ) instead of <tag onClick='...'>.

To avoid 'unsafe-eval' it need to know which unsafe constructs do you use - eval() Function(), setInterval() or setTimeout(). The last two can be fixed easily (pls see in comments).