Unsafe Content Security Policy

This rule identifies HTML documents that either do not define a Content Security Policy (CSP) via a meta tag or define a weak CSP that permits unsafe script execution. In particular, it flags policies that allow inline script execution, dynamic code evaluation, or overly permissive source definitions.

Because CSP is commonly delivered via HTTP headers, this rule operates at the HTML level and focuses on detectable CSP misconfigurations within markup.

Content Security Policy (CSP) is a defense-in-depth control designed to reduce the impact and exploitability of Cross-Site Scripting (XSS) vulnerabilities. An unsafe or missing CSP significantly weakens the browser’s ability to prevent injected script execution.

Common risks associated with weak CSP configurations include:

CSP Bypass: Directives such as unsafe-inline, unsafe-eval, or wildcard (*) sources undermine the protections offered by CSP and allow injected JavaScript to execute.

Expanded Attack Surface: Without strict script source restrictions, an attacker who achieves HTML or JavaScript injection can execute arbitrary code.

Missed Hardening Opportunity: Even in the absence of known XSS vulnerabilities, a strict CSP limits the blast radius of future or undiscovered issues.

Consider the following insecure examples:

Implement a strict Content Security Policy and avoid unsafe script execution directives.

Where possible, enforce CSP using HTTP response headers rather than HTML meta tags. If a meta tag is required, ensure it defines a restrictive policy.

Recommended baseline policy:

Corrected Example: