Question

CSP style-src: inline-unsafe


Badge

The 'CSP: style-src unsafe-inline' vulnerability indicates that application's Content Security Policy allows the use of inline styles, which can be exploited by attackers. Is there a way to avoid  'CSP: style-src unsafe-inline' with brightcove player?


4 replies

Userlevel 1

Hi @Stepan Yegorov ,

Hope you are doing excellent today,

I appreciate you using BrightSpot to share your question. 

I will be contacting you in private message, as we need additional information to follow up on your request.

Thank you!

Userlevel 4
Badge +3

Hi @Stepan Yegorov. I checked this with a teammate. Their suggestion is that you can either disable that CSP directive, or may want to try generating a hash for the injected style blocks and add that to your policy to allow the player's styles to be injected. There is an example of how that might be done here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#unsafe_inline_styles 

 

Hope this and Perla’s response was helpful. 

Badge

Hi @Varsha Ahir ,

Thank you for checking this and for the suggestion. Generating the hash requires some manual work on our end after a new player updates, I'd like to avoid this if possible. I think it would be good to have a separate file for CSS and a separate one for JS, this would solve the CSP problem. Not sure if anyone has implemented it so far.

Userlevel 4
Badge +3

Hi @Stepan Yegorov,  Understood. I'm afraid the web player is not distributed with separate JS & CSS. Let me promote this post to other Brightcove users. Let’s see if anyone has implemented that at their end. 

Reply