How can I set script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline' ; for specific page or path in play framework 2.6.x?

Question

I have been trying to set a text editor in my web app. Where to access the text editor I have to allow script-src 'self' 'unsafe-inline' 'unsafe-eval' and style-src 'unsafe-inline'. But in playframework 2.6.x i have to set this by play.filters.headers.contentSecurityPolicy in config file which makes the whole app insecure.

Note: meta tag does not work, even I tried to pass Content-security-policy in response header by filter. Nothing works.

In this case is there any way of setting script-src 'self' 'unsafe-inline' 'unsafe-eval' and style-src 'unsafe-inline' for any specific page or path in play 2.6.x?

Answer 1

Here is an example from the Silhouette Seed Template

# Security Filter Configuration - Content Security Policy
play.filters.headers {
  contentSecurityPolicy = "default-src 'self';"
  contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" img-src 'self' *.fbcdn.net *.twimg.com *.googleusercontent.com *.xingassets.com vk.com *.yimg.com secure.gravatar.com;"
  contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" style-src 'self' 'unsafe-inline' cdnjs.cloudflare.com maxcdn.bootstrapcdn.com cdn.jsdelivr.net fonts.googleapis.com;"
  contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" font-src 'self' fonts.gstatic.com fonts.googleapis.com cdnjs.cloudflare.com;"
  contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" script-src 'self' cdnjs.cloudflare.com;"
  contentSecurityPolicy = ${play.filters.headers.contentSecurityPolicy}" connect-src 'self' twitter.com *.xing.com;"
}

Play 2.7 On a certain Action it looks like:

Ok("Index").withHeaders(SecurityHeadersFilter.REFERRER_POLICY -> "my page-specific header")

Check the documentation: https://www.playframework.com/documentation/2.7.x/SecurityHeaders#Action-specific-overrides

However in Play 2.7 this is deprecated - use CSP instead - see: https://www.playframework.com/documentation/2.7.x/CspFilter#Enabling-CSP-on-Specific-Actions

There is also a possibility (on the same doc) to exclude a route from the CSP filter, like:

+ nocsp
POST     /report-to                 controllers.CSPReportController.report