Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

What is a script from source 'undefined' mean in CSP?

I have recently moved from stripe.js v2 to stripe.js v3 / elements. As part of this, I am recieving new CSP errors. These don't seem to be causing stripe to fail, but I would like to understand them:

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src"). Source: ;undefined.
elements-inner-card-15fb9df8718486f330c3990dde96bfd7.html:1

Content Security Policy: The page's settings blocked the loading of a resource at self ("script-src"). Source: ;undefined.
controller-3984d4085075df939703ec0d22159407.html:1

Both elements-inner-card-15fb9df8718486f330c3990dde96bfd7.html and controller-3984d4085075df939703ec0d22159407.html are from stripe. What I don't understand is the script-src of undefined?

  • How can a script-src be undefined? A <script> element generally had a src , if not it's unsafe-inline. What does undefined mean?

  • How can I modify my CSP to allow Stripe v3?

Edit: the error only seems to occur on Firefox, when using LastPass. Chrome does not show this error, nor does Firefox with Addons Disabled.

like image 890
mikemaccana Avatar asked Apr 30 '18 08:04

mikemaccana


People also ask

How do I enable inline scripts in CSP?

To allow inline scripts and inline event handlers, 'unsafe-inline' , a nonce-source or a hash-source that matches the inline block can be specified. Alternatively, you can create hashes from your inline scripts. CSP supports sha256, sha384 and sha512.

What is script source?

The src attribute specifies the URL of an external script file. If you want to run the same JavaScript on several pages in a web site, you should create an external JavaScript file, instead of writing the same script over and over again.

Can you bypass CSP?

If the application is using angular JS and scripts are loaded from a whitelisted domain. It is possible to bypass this CSP policy by calling callback functions and vulnerable class.

What is unsafe inline CSP?

The unsafe-inline option is to be used when moving or rewriting inline code in your current site is not an immediate option but you still want to use CSP to control other aspects (such as object-src, preventing injection of third-party js etc.).


1 Answers

For those ending up here like me, the solution was different than "disabling addons".

Context: I'm using stripe in React and I use react-stripe-elements to do it. The CSP error came when I was doing this:

<form>
    {loading ? <Spinner /> : <CardElement /> }
</form>

It seems that the dynamic mounting/unmounting does not go well there. I changed it like that:

<form>
    <div className={classnames({hidden: !loading})}><Spinner /></div>
    <div className={classnames({hidden: loading})}><CardElement /></div>
</form>

With the corresponding CSS for hidden of course and the error went away.

Hope it helps some lost souls :)

like image 189
Benoît Latinier Avatar answered Oct 25 '22 03:10

Benoît Latinier