We are using SmartGWT 13.0 in a regulated environment that requires security assessments. Tools like OWASP Zap reported possible security vunerabilities.
Most of them can be fixed by setting the correct Content-security-policy headers etc. but we cannot find a way around a couple of them without compromising functionality:
- Absence of Anti-CSRF Tokens
In ISC_Grids.js there are some strings that look like:
that trigger this warning. Looking at the form it does not seem to actually submit anything and CSRF should not be needed, so do you think it is a false positive?
- Content Security Policy style-src unsafe-inline, script-src unsafe-inline
In the CSP header we need to set
because SmartGWT generates inline CSS and javascript event handlers. Is there a way to remove the 'unsafe-inline' requirement?
Thanks
Most of them can be fixed by setting the correct Content-security-policy headers etc. but we cannot find a way around a couple of them without compromising functionality:
- Absence of Anti-CSRF Tokens
In ISC_Grids.js there are some strings that look like:
Code:
<form action='javascript:void(0)' onsubmit='return false;'>
- Content Security Policy style-src unsafe-inline, script-src unsafe-inline
In the CSP header we need to set
Code:
style-src 'unsafe-inline'; script-src 'unsafe-inline'
Thanks
Comment