Content-Security-Policy and Mirage

thepoorswiss · July 6, 2023, 3:32pm

Hi

I am trying to improve the security on my website and currently trying to remove unsafe-inline from my Content-Security-Policy (which is pretty much useless with unsafe-inline), but did not find a satisfactory way of dealing with Mirage.

Mirage works by injecting a script on the website, such as:

<script type="text/javascript" style="display:none">
//<![CDATA[
window.__mirage2 = {petok:"Xf.JTTrW4i7Yfb9yG5FbwV6tAfgi0usEodz3D9uXPvo-1800-0"};
//]]>
</script>

At first, I was thinking of using a hash to allow that particular script, but it could happen in several places based on the page and would have a different identation, causing different hashes.

The only other solution I could think of would be to write a worker to either change the Mirage code or add a nonce to it so that it would work. But I am not sure the worker runs after Mirage and this would not be free

Does anybody have a good solution for making Mirage work with a secure Content-Security-Policy?

Thanks!

thepoorswiss · July 7, 2023, 5:04am

It seems I was wrong about the predictability of the script. Using a hash seems to work. Now, it remains to be seen whether that value will change or not.

If the value changes, I think the only other choice is a worker and it should work as well since I was able to see the script in the worker, so we could modify it.

thepoorswiss · July 11, 2023, 3:14pm

In the end, I had to switch to a CF worker, because the Mirage code is different on Mobile and on Desktop. So I would have to allow too many hashes. So, it seems the only way is to pay