Content Security Policy headers in Play! Framework

Question

I have a question on the Content Security Policy using the Play! framework (2.6).

I have added an external library to the project for drawing charts, the javascript file is in the project and the charts are rendering fine.

The problem I am having is my console is spewing out errors left and right. This is the error I keep getting:

Refused to apply inline style because it violates the following Content Security Policy directive: "style-src 'self'". Either the 'unsafe-inline' keyword, a hash ('sha256-GPjBVmsZjSEoackW5SF7HKgSHcUUBqf1/TJwOl3Co7Y='), or a nonce ('nonce-...') is required to enable inline execution.

While searching for how to fix this problem I came across stuff like include a meta tag in the HTML, which did nothing in Play. I've also tried to put the ContentSecurityHeader in application.conf as explained here: https://www.playframework.com/documentation/2.6.x/SecurityHeaders That also did not work. While developing my project I have also had errors come up regarding default-src 'self', i presume it will be the same type of fix and it's something to do with configuration that I'm not getting right.

If anyone has had to do this type of configuration before I would love some pointers on how to configure my application properly.

Thanks in advance!

Answer 1

To allow images from a cdn, the following worked for me (Play version 2.6)

play.filters.headers.contentSecurityPolicy = "default-src 'self'; img-src 'self' https://my.img.cdn.com"

The following allowed inline style attributes:

play.filters.headers.contentSecurityPolicy = "default-src 'self'; style-src 'self' 'unsafe-inline'"

However there is a caveat:

Banning inline script is the biggest security win CSP provides, and banning inline style likewise hardens your application. HTML5 Rocks - Content Security Policy (2017-11-18)

Answer 2

add this line play.filters.disabled += "play.filters.headers.SecurityHeadersFilter" to application.conf file, that's works for me