7

This question seems to be related to https://stackoverflow.com/questions/15913200/facebook-js-sdk-not-executed-in-my-chrome-extension , but I am not developing a chrome extension. I am developing a normal web application.

I am trying to integrate Facebook login on my website, which has a tight CSP policy. I am following the recommendations of https://developer.chrome.com/extensions/contentSecurityPolicy , where it is mentioned that 'unsafe-eval' should not be used. However, if I put the following CSP-policy:

 <add name="Content-Security-Policy" value="default-src 'self'; connect-src 'self'; script-src 'self' https://connect.facebook.net; img-src 'self' https://www.facebook.com; media-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://s-static.ak.facebook.com https://www.facebook.com https://www.youtube.com; "/>

then the facebook login does not appear, as the CSP policy restricts unsafe eval code. If I change it to the following:

 <add name="Content-Security-Policy" value="default-src 'self'; connect-src 'self'; script-src 'self' 'unsafe-eval' https://connect.facebook.net; img-src 'self' https://www.facebook.com; media-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; frame-src 'self' https://s-static.ak.facebook.com https://www.facebook.com https://www.youtube.com; "/>

then it works. Notice the extra 'unsafe-eval' in the script-src part of the CSP. Anyway, I don't want to use the 'unsafe-eval' condition, as this would greatly reduce the security of my website.

Is there a way that I can use the Facebook login (SDK), without having to use 'unsafe-eval' in my CSP policy?

Improve this question
5
  • Do you trust Facebook enough to include it as script source on your site? This means, that a site outside of your control has the ability to modify the page, read cookies (unless they are http only) and CSRF protection tokens etc. Commented Apr 18, 2014 at 13:19
  • Yes I trust Facebook enough, but the CSP policy will be applied for the complete page, right? So if an attacker finds a different XSS vulnerability on the login page, then my CSP won't help. Commented Apr 18, 2014 at 13:33
  • Yes, the CSP will be applied to the complete page. Commented Apr 18, 2014 at 14:06
  • 1
    And in case I have a single-page app, it would thus be applied to my whole web-app, rendering the CSP completely useless. That is a bit the issue that I am having now.. Commented Apr 18, 2014 at 14:56
  • unsafe-eval doesn't render CSP completely useless. unsafe-inline is the really bad one that undoes most of the benefit of CSP against XSS. Commented Sep 9, 2016 at 20:59

1 Answer 1

Reset to default
4

No, you can't use the Facebook SDK without 'unsafe-eval' if the Facebook SDK requires it, sadly. This is one of the problems with CSP. Until Facebook remove the requirement, you have to allow it.

You mention that your app may be a single-page app, but if it wasn't, you could issue the 'unsafe-eval' expression on that particular page only to improve the situation, rather than site-wide.

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.