Have a safe Content Security Policy (CSP) in servers demo

[sbernard31]

Sandbox security tests complain about unsafe usage in Content Security Policy(CSP)

Content Security Policy (CSP) implemented, but allows 'unsafe-eval' and allows forms to be submitted to any source.

'unsafe-eval' - 'unsafe-eval' allows the execution of code injected into DOM APIs such as eval().

This policy allows inline styles ('unsafe-inline'). Although they are not as bad as inline scripts in terms of security, an injection bug in script area would allow the attacker to modify page appearance.

See :

• https://github.com/eclipse-leshan/leshan/wiki/Security-Development-Documention
• https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/CSP

We need to investigate about that.

[sbernard31]

Investigating a bit more about 'unsafe-eval' ...

✔️ : it seems that with vue3 if Single-File Components (SFC) are pre-compiled (default when project is build) there is no usage of eval() and no need to add 'unsafe-eval' in CSP.

[sbernard31]

Concerning 'unsafe-inline',

vue3 doesn't use it neither but some of other dependencies use it...

1. ✔️ vite plugin-legacy seems to use it (not 100% sure) : so we will remove usage, it seems we don't need it anyway for a demo.
2. ✔️ vite-plugin-webfont-dl use it by default but it is possible to configure it to avoid that (Bad URL when using base:"./" in vite.config.js feat-agency/vite-plugin-webfont-dl#68)
3. ❌ vuetify3 use it and AFAIK there is no proper way to get a rid of that ... [Feature Request] Theme CSP nonce should be removed vuetifyjs/vuetify#15973

[sbernard31]

Usage of Vite CSP Guard could help to test locally.

[sbernard31]

#1683 improve our sandbox security store.
We move :

• from 100/100 to 120/100 at Mozilla Observatory
• A to A+ at Security Headers

This doesn't change our score still A at Immuniweb Website Tests

See : https://github.com/eclipse-leshan/leshan/wiki/Security-Development-Documention