20166: Missing Content-Security-Policy Header - LimeSurvey bugs and feature requests

This issue affects 2 person(s).

264

ID	Project	Category	View Status	Date Submitted	Last Update
20166	Feature requests	Security	public	2025-07-09 14:18	2026-03-03 17:34

Reporter	Ryszard	Assigned To
Priority	none	Severity	feature
Status	new	Resolution	open

Summary	20166: Missing Content-Security-Policy Header
Description	The application's responses did not identify a deployed Content-Security-Policy header. A CSP can significantly complicate exploitation of the vulnerability. It is recommended to consider implementing the Content-Security-Policy header.
Steps To Reproduce	Steps to reproduce (Replace this text with detailed step-by-step instructions on how to reproduce the issue) Expected result (Write here what you expected to happen) Actual result (Write here what happened instead)
Tags	No tags attached.

Bug heat	264
Story point estimate	0
Users affected %	0

User List	tassoman

DenisChenu 2025-07-10 09:14 developer ~83054	We will look at the issue as soon as possible

DenisChenu 2025-07-10 09:15 developer ~83055	My opinion: can add CSP in administration For public survey/theme : must be open : allow external video/image etc … for external JS : we need a solution to allow it by theme at minima, then maybe just add it in template ?

c_schmitz 2025-12-08 10:43 administrator ~83989	CSP can be set anytime by the webserver, there is no need to have this in LimeSurvey itself.

tassoman 2026-03-03 17:26 reporter ~84374	My security office asked for it. Setting the vulnerability as medium. Then I've set the following configuration in the container: `Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'nonce-rer2026'; img-src 'self' 'nonce-rer2026'; style-src 'self' 'nonce-myls2026';"` Now application is giving console errors, mostly because there are parts of frontend having inline <script> with no hash or nonce. More on what @DenisChenu stated before, there's also the vulnerability risk of writing javascript into the question text. I guess it's kind of "core feature" very precious for altering question widgets, but at the same time pretty dangerous.

tassoman 2026-03-03 17:34 reporter ~84379	For the same motivation, it's recommended to raise the level of security against of XSS. More context on CSP https://cheatsheetseries.owasp.org/cheatsheets/Content_Security_Policy_Cheat_Sheet.html

Date Modified	Username	Field	Change
2025-07-09 14:18	Ryszard	New Issue
2025-07-10 09:13	DenisChenu	Assigned To	=> c_schmitz
2025-07-10 09:13	DenisChenu	Status	new => assigned
2025-07-10 09:14	DenisChenu	Status	assigned => feedback
2025-07-10 09:14	DenisChenu	Note Added: 83054
2025-07-10 09:14	DenisChenu	Bug heat	256 => 258
2025-07-10 09:15	DenisChenu	Note Added: 83055
2025-12-08 10:42	c_schmitz	Project	Bug reports => Feature requests
2025-12-08 10:43	c_schmitz	Status	feedback => new
2025-12-08 10:43	c_schmitz	Note Added: 83989
2025-12-08 10:43	c_schmitz	Bug heat	258 => 260
2026-02-24 11:33	c_schmitz	Severity	@50@ => feature
2026-02-24 11:33	c_schmitz	Product Version	6.6.x =>
2026-02-24 11:33	c_schmitz	View Status	private => public
2026-02-24 11:33	c_schmitz	Story point estimate	=> 0
2026-02-24 11:33	c_schmitz	Users affected %	=> 0
2026-02-24 11:33	c_schmitz	Bug heat	260 => 254
2026-02-24 14:08	c_schmitz	Assigned To	c_schmitz =>
2026-03-03 17:26	tassoman	Note Added: 84374
2026-03-03 17:26	tassoman	Bug heat	254 => 256
2026-03-03 17:26	tassoman	Issue Monitored: tassoman
2026-03-03 17:26	tassoman	Bug heat	256 => 258
2026-03-03 17:30	tassoman	Bug heat	258 => 264
2026-03-03 17:34	tassoman	Note Added: 84379