21.2.6.1 Understanding Content Security Policy (CSP)

Learn about Content Security Policy (CSP).

Parent topic: Configuring Content Security Policy (CSP)

21.2.6.1.1 About Content Security Policy (CSP)

Learn how Content Security Policy (CSP) can help prevent a wide range of attacks, including Cross-Site Scripting (XSS) and data injection attack.

CSP is a web security standard that can help prevent attacks by controlling which content can be loaded and executed in the browser. Oracle APEX supports CSP through the use of HTTP response headers. By setting CSP headers, application developers instruct the browser to only execute or render resources from trusted sources. Anything not matching the defined policy will be blocked.

Note:

Oracle APEX is making progress towards CSP compliance by focusing on eliminating the need for 'unsafe-inline'. This is achieved through the use of a nonce in script and style tags and by reducing inline JavaScript and inline styles. However, it's important to note that not all APEX components are fully CSP-compliant. Developers should be aware that some legacy components or features might still require further adaptation in future releases.

Parent topic: Understanding Content Security Policy (CSP)

21.2.6.1.2 Types of CSP Violations

Learn about types of CSP violations.

CSP violations types for 'unsafe-inline' include:

  1. Inline Script Tag: Occurs when an inline <script> tag does not have a valid nonce. 

    <script>
    console.log('This script will be blocked by CSP because it lacks the correct nonce.');
</script>

  2. 1. Inline Style Attribute: Happens when the style attribute is used directly on an HTML element. 

    <!-- This inline style will be blocked by CSP -->
<span style="color: blue;">Text</span>

  3. Inline Style Tag: Similar to script violations but related to <style> tags or inline styles. 

    <!-- Blocked if no valid nonce is provided -->
<style>
  body { background-color: red; }
</style>

  4. Inline JavaScript Attribute: Triggered when inline JavaScript is used in HTML attributes such as onclick, onmouseover, and so on. 

    <!-- This will be blocked by CSP -->
<button onclick="alert('Clicked!')">Click Me</button>

  5. External Resource Violation: Blocked when a resource (for example, script, style) is loaded from a source not allowed in the CSP header. 

    <!-- Blocked if cdn.example.com is not in the script-src directive -->
<script src="https://cdn.example.com/library.js"></script>

Parent topic: Understanding Content Security Policy (CSP)

21.2.6.1.3 What is a Cryptographic Nonce?

Learn about cryptographic nonce and how it works.

A cryptographic nonce (or number used once) refers to a number or value that is used only once in a cryptographic communication. When it comes to web security, particularly with Content Security Policy (CSP), a nonce attribute is used to allow specific inline scripts to be executed.

A cryptographic nonce works as follows:

  1. CSP and Nonce - When you define a Content Security Policy (CSP) for your web application, you can specify that only scripts with a specific nonce value are allowed to execute. This prevents attackers from injecting malicious scripts because they won’t have access to the nonce value.
  2. Implementation - The server generates a unique nonce value for each request and includes it in the CSP header. Inline scripts that should be allowed to run must include this nonce value in their script tag.

Consider the following nonce examples.

HTML (Inline Script with Nonce)

<script nonce="random12345">
    console.log('This script will run because it has the correct nonce.');
</script>

HTML (Inline Script without Nonce)

<script>
    console.log('This script will be blocked by CSP because it lacks the correct nonce.');
</script>

In this example, the script with the correct nonce random12345 will be allowed to execute, while other scripts will be blocked, enhancing the security of your web application. You have to look at the browser console to see the remaining violations.

Parent topic: Understanding Content Security Policy (CSP)