CODEWITHSUNDEEP
cloudflarecontent-security-policyzap
Aleksander Karabtsuk
Aleksander Karabtsuk

Reputation: 1

Cloudfare inline javascript and ZAP

I have dynamic CSP for my website, it generates dynamically the nonce for the Cloudfare inline javascript and the code executes. So no problem with running the code. My ZAP report still gives a wildcard directive for these Cloudfare inline scripts. What would be an issue and how could i get rid of these errors in ZAP?

My dynamic nonce and header:

if (!isset($_SESSION['nonce'])) {
    $_SESSION['nonce'] = base64_encode(random_bytes(16));
}
$nonce = $_SESSION['nonce'];

header("Content-Security-Policy: default-src 'self'; connect-src 'self'; script-src 'self' 'nonce-$nonce' https://challenges.cloudflare.com; style-src 'self' 'nonce-$nonce'  img-src 'self' data:; font-src 'self' data:;");

The CSP WIldcard Directive error is in this code: Alert tags: CWE-693, OWASP_2021_A05, OWASP_2017_A06

<script nonce="r3CeLtyhzGox9T5WkMPwUQ==">(function(){function c(){var b=a.contentDocument||a.contentWindow.document;if(b){var d=b.createElement('script');d.nonce='r3CeLtyhzGox9T5WkMPwUQ==';d.innerHTML="window.__CF$cv$params={r:'91700d89fd364c79',t:'MTc0MDQwNjM3MC4wMDAwMDA='};var a=document.createElement('script');a.nonce='r3CeLtyhzGox9T5WkMPwUQ==';a.src='/cdn-cgi/challenge-platform/scripts/jsd/main.js';document.getElementsByTagName('head')[0].appendChild(a);";b.getElementsByTagName('head')[0].appendChild(d)}}if(document.body){var a=document.createElement('iframe');a.height=1;a.width=1;a.style.position='absolute';a.style.top=0;a.style.left=0;a.style.border='none';a.style.visibility='hidden';document.body.appendChild(a);if('loading'!==document.readyState)c();else if(window.addEventListener)document.addEventListener('DOMContentLoaded',c);else{var e=document.onreadystatechange||function(){};document.onreadystatechange=function(b){e(b);'loading'!==document.readyState&&(document.onreadystatechange=e,c())}}}})();</script>

Ive tried change the CSP in multiple ways but i dont see the possible outcome to get rid of these Wildcard directive errors. Is it impossible or what could be the solution? Should i get rid of javascript challenge to make the CSP worth it?

Upvotes: 0

Views: 13

Answers (1)

kingthorin
kingthorin

Reputation: 1528

What's the "Other Info" associated with the alert?

Are you sure you aren't encountering the CSP issue where you've failed to define a directive that doesn't fallback to Default Source?

Ex: https://github.com/zaproxy/zaproxy/issues/8700

Upvotes: 0

Related Questions