Whitelist trusted sources

Severity: Recommended

CSP should explicitly whitelist only the domains you trust, rather than allowing everything. Each whitelisted domain is an attack surface.

Check automatically:

1. Check for overly permissive policies:

# Wildcard sources (bad)
grep -rE "default-src[^;]*\*|script-src[^;]*\*|style-src[^;]*\*" src/ app/ lib/ nginx/ 2>/dev/null

# data: URIs for scripts (can be abused)
grep -rE "script-src[^;]*data:" src/ app/ lib/ nginx/ 2>/dev/null

# blob: URIs (sometimes needed, but review)
grep -rE "script-src[^;]*blob:" src/ app/ lib/ nginx/ 2>/dev/null

2. Check for unsafe-eval:

# unsafe-eval in script-src (security risk)
grep -rE "script-src[^;]*unsafe-eval" src/ app/ lib/ nginx/ 2>/dev/null

3. Extract and review whitelisted domains:

# Find all CSP policies and extract domains
grep -rEo "(default-src|script-src|style-src|img-src|connect-src|font-src|frame-src)[^;]+" src/ app/ lib/ nginx/ 2>/dev/null

4. Check for common CDNs and third-parties:

# Common legitimate sources
grep -rE "cdn\.jsdelivr\.net|unpkg\.com|cdnjs\.cloudflare\.com|fonts\.googleapis\.com|fonts\.gstatic\.com" src/ app/ lib/ nginx/ 2>/dev/null

# Analytics/tracking
grep -rE "google-analytics\.com|googletagmanager\.com|analytics\.google\.com|plausible\.io|segment\.com" src/ app/ lib/ nginx/ 2>/dev/null

# Common third-party widgets
grep -rE "intercom\.io|crisp\.chat|zendesk\.com|stripe\.com|js\.stripe\.com" src/ app/ lib/ nginx/ 2>/dev/null

5. Check for 'self' as baseline:

# 'self' should be the foundation
grep -rE "default-src[^;]*'self'" src/ app/ lib/ nginx/ 2>/dev/null

6. Check connect-src for API endpoints:

# API endpoints that frontend can call
grep -rE "connect-src[^;]+" src/ app/ lib/ nginx/ 2>/dev/null

Ask user:

• "What third-party services does the frontend load? (analytics, chat, payments, fonts)"
• "Are there any CDNs used for static assets?"
• "Do you have a process for reviewing new third-party script additions?"
• "When was the CSP whitelist last reviewed?"

Cross-reference with:

• CSP-001 (full CSP headers)
• CSP-003 (blocking inline - whitelisting is the alternative)
• API-006 (API gateway - connect-src should match API domains)

Pass criteria:

• default-src 'self' as baseline
• Only necessary domains whitelisted
• No wildcard * in script-src or default-src
• Each whitelisted domain has a clear purpose
• No unsafe-eval unless justified and documented

Fail criteria:

• default-src * or script-src *
• data: allowed in script-src without justification
• unsafe-eval present without documented reason
• Long list of whitelisted domains with no documentation
• Domains whitelisted that are no longer used

Notes on unsafe-eval:

'unsafe-eval' allows eval(), Function(), and similar dynamic code execution. Security risk because XSS can use these to run arbitrary code.

When it's sometimes needed:

• Vue.js with runtime template compilation (not pre-compiled)
• Angular JIT mode (development only - production should use AOT)
• Some charting libraries (Chart.js older versions)
• Legacy code using eval() for JSON parsing

Recommendation:

• Never use in production if avoidable
• If needed: document why, isolate to specific pages if possible
• Vue: use pre-compiled templates (default in Vue CLI/Vite)
• Angular: use AOT compilation for production
• Chart.js: upgrade to v3+ which doesn't require eval

Periodic audit recommendation:

Review CSP whitelist quarterly:

1. List all whitelisted domains
2. Verify each is still in use (check network tab, grep codebase)
3. Remove domains for deprecated third-party services
4. Document purpose of each domain in code comments or docs
5. Check if any whitelisted domains have been compromised (rare but happens)

Evidence to capture:

• Full list of whitelisted domains per directive
• Purpose of each whitelisted domain (if documented)
• Any wildcards or overly permissive patterns
• Presence and justification of unsafe-eval
• Domains that appear unused or questionable
• Date of last whitelist review

---