Thomas777 Posted November 27, 2021 Share Posted November 27, 2021 Hello to the community, first of all i am not a developer, i just try to setup an online shop for my little bussiness. I am to the point where i try set a strict CSP header which is impossible without allowing unsafe-inline in script-src or in style-src. I tried to add all the hashes (as suggested here) but that was not possible as the line in htaccess was exceeding the limit (somewhere in the area of 8000) and it was crashing the site. Raising that limit was not possible as i run the site in a shared enviroment (it would propably open another security hole anyway). To be honest i do not know how easy it is or not to remove all the inline elements from prestashop (i can guess that it is not easy) but maybe this is something that needs to be done as it would raise the level of security. Anyway, just my opinion. Now hopefully i am wrong and someone could point me in the right way. Many thanks to anyone that has posted a solution to any problem as i have propably been helped by that:) Link to comment Share on other sites More sharing options...
Thomas777 Posted December 14, 2021 Author Share Posted December 14, 2021 (edited) Ok, surely somewhere, somehow, someway, someone (maybe in another galaxy) found a way to implement csp without allowing "unsafe-inline". Or maybe it is impossible, i do not know. Anyway an answer from someone in prestashop or from someone who has succed it, or knows it is impossible would be nice for me and for anyone in the future who wants to be a little more safe. Thanks anyway. Edited December 14, 2021 by Thomas777 (see edit history) Link to comment Share on other sites More sharing options...
Thomas777 Posted December 17, 2021 Author Share Posted December 17, 2021 An answer fron anyone in prestashop or anyone else that happens to know? It feels lonenly and cold here all alone Link to comment Share on other sites More sharing options...
Thomas777 Posted December 20, 2021 Author Share Posted December 20, 2021 After a lot of days and weeks i found that the problem is the cart who, somehow, always keeps asking for a new hash. Otherwise adding the hashes for all the other inline scripts seems simple, maybe adding a nonce there would solve the problem but my knowledge in programming does not allow me to do that, so i have to settle with unsafe-inline. Anyway just for someone who might want to try it in the future. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now