Description
Inline javascript on login page must be blocked for secure content security policy
Description
In the html for the login page you include two inline scripts regarding alerts and oauth providers (pasted below). While they appear to be relatively inconsequential and they can be blocked without losing important functionality, a secure content security policy is not compatible with inline scripts. In order to allow these scripts to execute one would have to add "script-src 'inline-insecure'" to the CSP header, which would have the result of allowing random scripts to be executed. Such a setting is by its nature insecure. Therefore, there should be no inline scripts on this page.
<script>
"use strict";
Prime.Document.onReady(function() {
Prime.Document.query('.alert').each(function(e) {
var dismissButton = e.queryFirst('a.dismiss-button');
if (dismissButton !== null) {
new Prime.Widgets.Dismissable(e, dismissButton).initialize();
}
});
Prime.Document.query('[data-tooltip]').each(function(e) {
new Prime.Widgets.Tooltip(e).withClassName('tooltip').initialize();
});
Prime.Document.query('.date-picker').each(function(e) {
new Prime.Widgets.DateTimePicker(e).withDateOnly().initialize();
});
new FusionAuth.OAuth2.LocaleSelect(new Prime.Document.queryById('locale-select'));
});
FusionAuth.Version = "1.16.0";
</script>
<script>
Prime.Document.onReady(function() {
new FusionAuth.OAuth2.Authorize();
var panel = Prime.Document.queryFirst('.panel');
if (panel !== null) {
FusionAuth = FusionAuth || {};
FusionAuth.IdentityProvider = FusionAuth.IdentityProvider || {};
FusionAuth.IdentityProvider.InProgress = new Prime.Widgets.InProgress(panel);
}
});
</script>
Edit: It actually looks like there are similar things all over the UI.
Additional context
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src
https://developers.google.com/web/fundamentals/security/csp
https://content-security-policy.com/
https://content-security-policy.com/examples/allow-inline-script/