GREATUK-1191 Implement 2024 penetration test recommendation

[hal274]

What

2024 penetration test recommendation suggest we update the content security policy to prevent inline javascripts from executing

Why

The CSP specification2 states that developers should not use as it enables XSS attacks by allowing code to be included directly into the document.3 Furthermore, the usage of should also be disallowed, since eval is considered a bad practice, opening up the possibility of code injection.

Furthermore, several third party domains were allowlisted within the policy. Every allowisted domain undermines the CSP and potentially allows for exploitation of XSS vulnerabilities which would otherwise not have been exploitable. In particular, several allowlisted domains ( and ) were known to allow various CSP bypasses.4 5 6

Recommendation

Review the CSP’s configuration to implement the best practices as described by the specification.7 8 9 10

Content Security Policy Specification: Content Security Policy Level 3

The unsafe-inline Source List Keyword unsafe-inline ⟶ CSP Guide

Workflow

• Ticket exists in Jira https://uktrade.atlassian.net/browse/GREATUK-1191
• Jira ticket has the correct status.
• A clear/description pull request messaged added.

Reviewing help

• Explains how to test locally, including how to set up appropriate data
• Where a PR contains code changes developed or maintained by multiple squads a representative from those squads should review the PR.

Merging

• This PR can be merged by reviewers. (If unticked, please leave for the author to merge)