Skip to main content
User Community Portal
Question

CSP style-src: inline-unsafe


Forum|alt.badge.img

The 'CSP: style-src unsafe-inline' vulnerability indicates that application's Content Security Policy allows the use of inline styles, which can be exploited by attackers. Is there a way to avoid  'CSP: style-src unsafe-inline' with brightcove player?

4 replies

Perla Olivas
Forum|alt.badge.img

Hi @Stepan Yegorov ,

Hope you are doing excellent today,

I appreciate you using BrightSpot to share your question. 

I will be contacting you in private message, as we need additional information to follow up on your request.

Thank you!


Varsha Ahir
Forum|alt.badge.img+3
  • Community Manager
  • 69 replies
  • July 3, 2024

Hi @Stepan Yegorov. I checked this with a teammate. Their suggestion is that you can either disable that CSP directive, or may want to try generating a hash for the injected style blocks and add that to your policy to allow the player's styles to be injected. There is an example of how that might be done here - https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/style-src#unsafe_inline_styles 

 

Hope this and Perla’s response was helpful. 


Forum|alt.badge.img

Hi @Varsha Ahir ,

Thank you for checking this and for the suggestion. Generating the hash requires some manual work on our end after a new player updates, I'd like to avoid this if possible. I think it would be good to have a separate file for CSS and a separate one for JS, this would solve the CSP problem. Not sure if anyone has implemented it so far.


Varsha Ahir
Forum|alt.badge.img+3
  • Community Manager
  • 69 replies
  • July 8, 2024

Hi @Stepan Yegorov,  Understood. I'm afraid the web player is not distributed with separate JS & CSS. Let me promote this post to other Brightcove users. Let’s see if anyone has implemented that at their end. 


Reply


Cookie policy

We use cookies to enhance and personalize your experience. If you accept you agree to our full cookie policy. Learn more about our cookies.

 
Cookie settings