Security: CSP in report-only mode — XSS protections not enforced

[philayres]

Summary

The Content Security Policy (CSP) is configured but running in report-only mode, meaning violations are logged but not blocked. Additionally, the CSP uses unsafe-eval in script-src and unsafe-inline in multiple style-src directives.

Locations

• config/initializers/content_security_policy.rb line 40: config.content_security_policy_report_only = true
• Line 15: script-src includes :unsafe_eval
• Lines 16, 18, 19: style-src, style-src-attr, style-src-elem include :unsafe_inline

Current State

Directive	Value	Risk
report_only	true	CSP violations NOT blocked
script-src	:self, :https, :unsafe_eval	Allows eval()
style-src	:self, :https, :unsafe_inline	Allows inline styles
script-src-elem	:self, :https, :strict_dynamic with nonce	Good
object-src	:none	Good

Positive Notes

• Nonce-based CSP is already implemented for scripts via content_security_policy_nonce_generator
• CSP violation reporting endpoint exists at /csp-violation-report-endpoint
• The xhtml_script_tag helper supports nonce injection

Impact

• HIGH: XSS attacks are not blocked even though CSP is configured
• unsafe-eval allows attackers to execute eval()-based payloads
• unsafe-inline for styles could enable CSS-based data exfiltration

Recommended Fix

1. Review CSP violation reports to identify legitimate violations
2. Remove unsafe-eval from script-src (may require refactoring Handlebars template compilation)
3. Transition styles to nonce-based or hash-based CSP
4. Set content_security_policy_report_only = false to enforce the policy

Regression Spec

Security regression spec at spec/controllers/security/http_security_headers_spec.rb documents the current state (7 examples, 0 failures).