Skip to main content
Question

CSP style-src: inline-unsafe

  • 2 July 2024
  • 4 replies
  • 142 views

The 'CSP: style-src unsafe-inline' vulnerability indicates that application's Content Security Policy allows the use of inline styles, which can be exploited by attackers. Is there a way to avoid  'CSP: style-src unsafe-inline' with brightcove player?

4 replies

Perla Olivas
Userlevel 2
Badge

Hi @Stepan Yegorov ,

Hope you are doing excellent today,

I appreciate you using BrightSpot to share your question. 

I will be contacting you in private message, as we need additional information to follow up on your request.

Thank you!

Perla Olivas
Varsha Ahir
Userlevel 4
Badge +3

Hi @Stepan Yegorov. I checked this with a teammate. Their suggestion is that you can either disable that CSP directive, or may want to try generating a hash for the injected style blocks and add that to your policy to allow the player's styles to be injected. There is an example of how that might be done here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#unsafe_inline_styles 

 

Hope this and Perla’s response was helpful. 

Varsha Ahir, Community Manager, Brightcove
S
Badge

Hi @Varsha Ahir ,

Thank you for checking this and for the suggestion. Generating the hash requires some manual work on our end after a new player updates, I'd like to avoid this if possible. I think it would be good to have a separate file for CSS and a separate one for JS, this would solve the CSP problem. Not sure if anyone has implemented it so far.

Varsha Ahir
Userlevel 4
Badge +3

Hi @Stepan Yegorov,  Understood. I'm afraid the web player is not distributed with separate JS & CSS. Let me promote this post to other Brightcove users. Let’s see if anyone has implemented that at their end. 

Varsha Ahir, Community Manager, Brightcove

Reply


Terms of UseCookie settings