worldline · Binanz · Feb 12, 2023 · Feb 14, 2023 · Feb 14, 2023
diff --git a/pw/pw-csp/client/src/index.html b/pw/pw-csp/client/src/index.html
@@ -1,26 +1,43 @@
-<!doctype html>
+<!DOCTYPE html>
 <html lang="en">
-<head>
-  <!--<meta http-equiv="Content-Security-Policy"
-        content=".....">
+  <head>
+    <!-- autorize font in csp policy -->
+    <meta
+      http-equiv="Content-Security-Policy"
+      content="default-src 'self';
+              script-src 'sha256-bnvMlzCkExJuk27zX9Elb1jJxyvN4DcATdP+klZg6VY=' 'self';
+              connect-src 'self';
+              img-src 'self';
+              style-src 'self' 'unsafe-inline' ;
+              font-src 'self';
+              base-uri 'self';
+              object-src 'none';
+              trusted-types angular;
+              require-trusted-types-for 'script'"
+    />
 
-        -->
-
-  <meta charset="utf-8">
-  <title>Test</title>
-  <base href="/">
-  <meta name="viewport" content="width=device-width, initial-scale=1">
-  <link rel="icon" type="image/x-icon" href="favicon.ico">
-</head>
-<body>
-  <app-root></app-root>
-  <!--
+    <meta charset="utf-8" />
+    <title>Test</title>
+    <base href="/" />
+    <meta name="viewport" content="width=device-width, initial-scale=1" />
+    <link rel="icon" type="image/x-icon" href="favicon.ico" />
+  </head>
+  <body>
+    <app-root></app-root>
+    <!--
          Uncomment the line below for PW-CSP solution
            - This is inline scripting. Not recommended, only for test purpose !
            - To secure inline scripting, use CSP 3 sha256 hash syntax  : "script-src ... 'sha256-lK+Y3vDnNUrD/ZPLGsnM6B+euoBxZ/MyiIbY2G5VoPw='
-
-   <script>document.write('<h1>Inline scripting is <b>not recommended</b>! But if you have not the choice, <b>secure your app with CSP</b></h1>');</script>
-   -->
-
-</body>
+      -->
+    <script>
+      const escapeHTMLPolicy = trustedTypes.createPolicy("angular", {
+        createHTML: (string) => string,
+      });
+      const escaped = escapeHTMLPolicy.createHTML(
+        "<h1>Inline scripting is <b>not recommended</b>! But if you have not the choice, <b>secure your app with CSP</b></h1>"
+      );
+      console.log(escaped instanceof TrustedHTML); // true
+      document.write(escaped);
+    </script>
+  </body>
 </html>
diff --git a/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java b/pw/pw-csp/server/src/main/java/com/worldline/bookstore/config/SecurityConfiguration.java
@@ -109,41 +109,48 @@ protected void configure(HttpSecurity http) throws Exception {
 
     }
 
-  //     Add CSP hash for the following inline scripting (see https://report-uri.io/home/hash) :
-  //    	- "document.write('<h1>Inline scripting is <b>not recommended</b>! But if you have not the choice, <b>secure your app with CSP</b></h1>');" 	==> 'sha256-lK+Y3vDnNUrD/ZPLGsnM6B+euoBxZ/MyiIbY2G5VoPw='
-  //    	- inline style ...
+    // Add CSP hash for the following inline scripting (see
+    // https://report-uri.io/home/hash) :
+    // - "document.write('<h1>Inline scripting is <b>not recommended</b>! But if you
+    // have not the choice, <b>secure your app with CSP</b></h1>');" ==>
+    // 'sha256-lK+Y3vDnNUrD/ZPLGsnM6B+euoBxZ/MyiIbY2G5VoPw='
+    // - inline style ...
     private void setCspConfig(HttpSecurity http) throws Exception {
-      http
-        .headers()
-        .contentSecurityPolicy(
-          "script-src" +
-            " 'none' "+
-            // "'unsafe-eval' 'unsafe-inline' " +
-            ";" +
-            // add connect-src directive to adapt CSP over cross-origin requests (CORS)
-            "connect-src"+
-            " 'self'"+
-            ";"+
-            " style-src" +
-            " 'self' 'unsafe-inline'"+
-            ";" +
-            " font-src" +
-            " 'self' "+
-            ";" +
-            " img-src" +
-            " 'self' " +
-            ";" +
-            " child-src" +
-            " 'self' " +
-            ";" +
-            " object-src" +
-            " 'none' " +
-            ";" +
-            " report-uri" +
-            " 'http://localhost:4200' " +
-            ";" +
-            " default-src" +
-            " 'self' ");//.reportOnly();
+        http
+                .headers()
+                .contentSecurityPolicy(
+                        "script-src" +
+                                "'sha256-bnvMlzCkExJuk27zX9Elb1jJxyvN4DcATdP+klZg6VY=' 'self' " +
+                                ";" +
+                                // add connect-src directive to adapt CSP over cross-origin requests (CORS)
+                                "connect-src" +
+                                " 'self'" +
+                                ";" +
+                                " style-src" +
+                                " 'self' 'unsafe-inline'" +
+                                ";" +
+                                " font-src" +
+                                " 'self'" +
+                                ";" +
+                                " img-src" +
+                                " 'self' " +
+                                ";" +
+                                " child-src" +
+                                " 'self' " +
+                                ";" +
+                                " object-src" +
+                                " 'none' " +
+                                ";" +
+                                " report-uri" +
+                                " 'http://localhost:4200' " +
+                                ";" +
+                                " default-src" +
+                                " 'self' " +
+                                ";" +
+                                " require-trusted-types-for" +
+                                " 'script' " +
+                                ";" +
+                                " trusted-types angular");// .reportOnly();
     }
 
     private JWTConfigurer securityConfigurerAdapter() {