There are a number of methods available to avoid cross-site scripting (XSS) including white lists, unique hashes, or a unique nonce value. SiteSpect uses a Content-Security-Policy Nonce Value to add a nonce value to your Site’s Content-Security-Policy header. When enabled, SiteSpect generates a unique string per request and adds it to the header as an attribute. Any script that wants to run must contain the nonce attribute.
For example, if the CSP header looks like this:
Then an inline script on the site must look like this:
Otherwise, the browser displays an error message stating that an inline script tried to run but did not comply with the Content-Security-Policy header.
To enable the feature:
- Select Site, Configuration, Site Settings, and then Security.
- Select Content-Security-Policy Nonce Value.
The following rules apply when this feature is enabled, in order of precedence:
- If the origin is not sending a Content-Security-Policy header, SiteSpect does nothing; it does not add a header.
- If there is a script-src directive specified and:
- it already contains a nonce, then SiteSpect pulls the nonce value and adds it to our own scripts without modifying the header.
- it contains 'unsafe-inline' and a hash, SiteSpect adds a newly generated nonce and adds it to the script-src. 'unsafe-inline' in this instance serves as a fallback for the hash, so it is ignored by modern browsers.
- it contains 'unsafe-inline' and no hash, SiteSpect does nothing. Inline scripts are fully enabled and none of our code is prevented from running. Removing this and adding a nonce value is likely to cause issues on the client's site.
- it does not contain a nonce, then SiteSpect adds a newly generated nonce value to the script-src directive.
If there is a default-src directive specified:
- It copies the default-src into a new script-src, and then follows the same logic as the script-src directive. The script-src is a precise copy of the default-src, but with an additional nonce attribute if it was not defined in the default-src.
If neither script-src or default-src is defined, SiteSpect does nothing.
Use the WATTS variable, __SS_CONTENTSECURITYPOLICYNONCE__ as follows to add the generated nonce to value to inserted scripts.
The macro expands to the following, where aaBBccDDffEE is just an example: