Guidelines for Insecure CSP Header: When It Warrants Further Investigation

Publiseringsdato: Feb 11, 2026

Beskrivelse

What is CSP

Content Security Policy (CSP) is a HTTP response header that helps a web browser secure an application by specifying which resources (like scripts, images, and stylesheets) are allowed to be loaded. Think of it like a security checklist: the website tells what types of content are allowed (like scripts, images, styles) and from where they are allowed (like your own site or trusted domains).

CSP (Content Security Policy) acts as an additional layer of protection, not a complete security solution or remedy for poorly written code. By strictly controlling what can be loaded and from where, CSP helps prevent various code injection attacks. These attacks include cross-site scripting (XSS), clickjacking, and others where malicious content is executed within the context of a webpage.

Exploring the Impact and Limitations of CSP:

CSP acts as a second layer of defense, helping reduce the risk of client-side attacks even when subtle vulnerabilities exist in the application’s code. However, it’s important to understand that CSP does not fix insecure code itself.

Addressing the Limitations

Implementation Risk: CSP can easily break how a website or application is designed to work because it blocks anything that isn’t explicitly allowed. If an application uses different scripts, plugins, and third-party tools, a single generic and strict CSP rule can accidentally block essential components and stop important features from loading.
Bypasses: CSP can be circumvented in various ways, such as

Malicious scripts uploaded to the server: When a malicious script is uploaded to the server, they are trusted from a CSP perspective because they are served from your own domain (e.g., https://example.com/uploads/malicious.js)
DOM-based XSS: CSP cannot always prevent attacks that originate purely from user-controlled input in the browser. JavaScript that handles data unsafely—such as the example below—can introduce a DOM-based XSS vulnerability:

let userInput = location.hash;
document.getElementById("output").innerHTML = userInput;

In this example, an attacker may attempt to exploit the vulnerable JavaScript by tricking a victim into opening a link such as:

https://example.com/page#<img src=x onerror=alert('Hacked')>.

Since the value of location.hash is inserted directly into innerHTML, the browser interprets the attacker’s input as HTML and injects it into the DOM.

CSP can act as a mitigation that reduces the impact of DOM-based XSS by blocking the execution of inline scripts. However, it cannot guarantee full prevention. Vulnerabilities caused by unsafe DOM handling must be addressed in the application code by avoiding dangerous sinks such as innerHTML or by applying proper sanitization.

Third-party dependencies: Allowed external scripts (e.g., analytics, ads) can be compromised, letting attackers inject code that CSP won’t block.
Not all browsers enforce CSP: Older browsers ignore CSP headers, leaving them vulnerable even if configured correctly.
Inline scripts with 'unsafe-inline': While sometimes necessary for application workflows, this is a configuration choice that reduces the header's effectiveness against XSS by allowing scripts to run inline.

These limitations restrict the overall effectiveness of CSP and require careful analysis to determine when the absence of CSP can be considered a vulnerability.

When to report : When it warrants further investigation

CSP is a defense-in-depth mechanism and not a primary control, it only becomes relevant in a security context when it fails to prevent a real-world attack. It warrants further investigation only when there is evidence that the CSP failed to block or mitigate an actual exploit. A weak or missing CSP header, on its own, is not a valid security finding.

✅ Valid CSP Findings Must Include:

A proven exploit (e.g., successful XSS attack that CSP failed to mitigate)
A clear bypass of an existing CSP configuration
Evidence of sensitive data exposure due to CSP weaknesses
Demonstrable impact, such as code execution, session hijacking, or unauthorized actions

❌ Invalid Findings Without Exploitability:

CSP is absent or missing, but you cannot find any XSS or injection point.
CSP includes unsafe-inline or wildcards but no user-controlled HTML or JS context exists.
Misconfigurations in CSP reporting directives (report-uri / report-to) are not security issues by themselves, as they merely log policy violations unless they inadvertently expose sensitive data.

Summary:

CSP issues should only be reported when they enable or fail to stop a real attack scenario. Simply noting that a site lacks a CSP header or includes less secure directives does not constitute a reportable vulnerability unless tied to an actual exploit or security impact.

Løsning

Salesforce Security and Application Agility through CSP and Features

Salesforce utilizes Content Security Policy (CSP) and specific platform features to enhance the security and agility of its products:

Experience Cloud (Digital Experiences)

- CSP Header Security Levels [Customer Configurable]: Experience Cloud allows administrators to select the level of CSP enforcement for their sites:
  - Strict CSP: Provides the highest security.
  - Relaxed CSP: Offers a less restrictive policy.
  - Allow Inline Scripts and Script Access to Any Third-party Host (Least Restrictive): This option provides the most flexibility but the least security and is generally not recommended.
- Lightning Locker: Lightning Locker is enabled by default, which provides component isolation and security .

Marketing Cloud

- CSP Implementation: Marketing Cloud supports the use of nonce-based CSP within its Interactions SDK to prevent unauthorized script execution. The Web Personalization Manager (WPM) requires the unsafe-inline source expression within the style-src directive due to Lightning Web Components (LWC) using inline styles. WPM can operate correctly without the unsafe-inline source expression when your CDN URLs are allowlisted.
- Reduced Dependency on unsafe-eval: The Personalization JavaScript beacon currently uses the unsafe-eval directive, Salesforce is actively working to remove the dependency on the unsafe-eval directive in the JavaScript beacon to further strengthen security.

CSP and Security in Lightning Components (Lightning Experience/LWC) -

- Strict CSP by Default: Lightning Experience enforces a strict CSP by default.
- Inline Scripts [Customer Configurable]: Inline scripts are blocked unless they are explicitly allowed.
- Default CSP Directives: Essential CSP directives (like font-src, img-src, media-src, frame-src, style-src, and connect-src) are typically set to 'self' by default. It's important to note that you cannot downgrade the protocol for these resources from HTTPS to HTTP.
- Client-Side Security: Salesforce ensures client-side security through Lightning Locker, which uses secure wrappers to filter access to global objects, and Lightning Web Security (LWS), which utilizes JavaScript sandboxes and API distortions to isolate components and improve performance.

Visualforce Pages [Customer Configurable]

- Trusted Sites for External Requests: Visualforce pages can be configured to make requests to external websites that have been explicitly added as a CSP Trusted Site to protect your users and your network.
- CSP Directives for Trusted Sites: Administrators can configure specific CSP directives for each Trusted Site, which allows fine-grained control .

Tableau Server

Tableau Server [Customer Configurable] : CSP can be configured in Tableau Server deployments using the tsm configuration set Options command.

Knowledge-artikkelnummer

005314099

Hjalp denne artikkelen med å løse problemet ditt?

La oss få vite det slik at vi kan forbedre!