Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Catching Content Security Policy (CSP) errors

I'm using this method to detect CSP with eval (also used in AngularJS):

  function noUnsafeEval() {
    try {
      new Function('');
      return false;
    } catch (err) {
      return true;
    }
  }

But I don't have a server with CSP at hand to thoroughly test it.

Is it reliable? Can the presence of new Function('') line in code cause the error that cannot be caught?

What is err? Which kind of error is caught there (Error, TypeError, etc)? What does the message of CSP error say?

I couldn't find the documentation on runtime errors in CSP.

like image 764
Estus Flask Avatar asked Feb 25 '17 15:02

Estus Flask


People also ask

How do I check my CSP error?

Conduct a find (Ctrl-F on Windows, Cmd-F on Mac) and search for the term “Content-Security-Policy”. If “Content-Security-Policy” is found, the CSP will be the code that comes after that term.

What is a CSP error?

Remember, the role of a Content Security Policy (CSP) is to block everything you haven't allowed. If you open up the console in your browser developer tools (F12) you typically will see a lot of errors. The first error might complain about lacking a report-uri but we'll get to that later.

How do you test a CSP policy?

To test for misconfigurations in CSPs, look for insecure configurations by examining the Content-Security-Policy HTTP response header or CSP meta element in a proxy tool: unsafe-inline directive enables inline scripts or styles making the applications susceptible to XSS attacks.

What are CSP attacks in security?

Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks. These attacks are used for everything from data theft, to site defacement, to malware distribution.


1 Answers

Regarding how to detect CSP, there is another stackoverflow question: How to detect Content Security Policy (CSP) and it also shows your function.

It should be safe to use it, because, as long as the code reaches the function constructor (i.e. it is not blocked before by some other restriction), you will invariably get a return value from the noUnsafeEval.

From my knowledge, it will throw an EvalError (mozilla) if CSP disallows unsafe eval. But this may differ from browser to browser.

The best way to be sure would be to test this. You can use http://mockbin.org to create a HTTP endpoint which return a page with the right CSP headers and your function. I made such a bin here: http://mockbin.org/bin/cc6029e5-8aac-4a54-8fd1-abf41e17042a. If you open it, open the dev console and debug the code, you will see the exception:

CSP Test


Later edit

You can also find this information in the W3C recommandations / drafts: CSP 1.1, CSP 2, CSP 3. In 1.1 you would get a SecurityError instead of an EvalError.

like image 170
Serban Petrescu Avatar answered Oct 29 '22 14:10

Serban Petrescu