Security issue with 'unsafe-inline' #9553
Description
Describe the bug
We used security scan to check for security issues. One of the issues was that we are using script-src 'unsafe-inline' and recommended solution for that issue was to remove 'unsafe-inline' from our CSP header and add hash values instead. So we would like to safely remove this 'unsafe-inline' element from CSP header and change that 'unsafe-inline' with hash values. We tried to do that, but on the login page of our web app we get this javascript snippet that causes problems.
We have here lastExecutionUrl and that url is always different and because of that we always need to use different hash value so we can't remove this 'unsafe-inline' from our script elements and add hash values instead. Is there some other way to safely remove this 'unsafe-inline' element or is there a way we can avoid using this js snippet?
Version
12.0.4
Expected behavior
We can safely remove 'unsafe-inline' from our CSP.
Actual behavior
We can't remove it because of lastExecutionUrl and because of that we can't login to our web app.
How to Reproduce?
- Remove 'unsafe-inline' from CSP
- Try to login to some web app with user that's on Keycloak and Keycloak provides login for that web app
- User can't login
Anything else?
No response