[Security] INFO: unsafe-inline CSP negates script injection mitigations

[noahwaldner]

Severity: Informational

File: src/web/server.ts:718

Description

reply.header('Content-Security-Policy',
  "default-src 'self'; script-src 'self' 'unsafe-inline' https://cdn.jsdelivr.net; ..."
);

'unsafe-inline' in script-src allows all inline <script> tags and on* event handler attributes. This means any XSS that can inject HTML (such as the case name XSS in #18) can execute JavaScript without CSP blocking it.

Additionally, https://cdn.jsdelivr.net in script-src means the browser trusts any content served from that CDN. A malicious package published to npm (and accessible via a jsdelivr URL) could load attacker-controlled scripts.

Root Cause

The directive is required by the app's extensive use of inline onclick="..." handlers throughout app.js (~17K lines).

Remediation

1. Migrate inline onclick="..." handlers in app.js to addEventListener() calls
2. Remove 'unsafe-inline' from script-src
3. Consider a nonce-based or hash-based CSP as an intermediate step during migration
4. Evaluate whether the jsdelivr.net CDN allowlist is still needed — vendor assets are already self-hosted in src/web/public/vendor/

[Ark0N]

Closing as informational/won't-fix for now. Removing unsafe-inline from CSP requires migrating all inline onclick handlers across ~15K lines of app.js to addEventListener() calls — a massive refactor with high regression risk. The self-hosted vendor assets make the jsdelivr.net allowlist removable, but that's a minor improvement without the inline handler migration. The app already uses auth + session cookies + CORS restrictions + rate limiting to limit the XSS attack surface.