I was just wondering if there's any push on getting Storyline CSP compliant? I know I can add a script-src with unsafe-inline, but that kind of diminishes the value of the header in the first place. Is there any effort in getting a strict CSP in place when serving storyline output? That is, removing all inline JS as a start?
Hello there! Currently, CSP is not on our roadmap as a general solution. We know customers insert iframe elements, for example, and we don't want to broadly prevent using external content.
We're happy to hear more about your concerns and ideas, however! Thanks for sharing.
Well, CSP is variable, so at least removing all inline JS and not using eval would already make it a lot better (also when considering performance!).
For anyone else bumping into this thread, this is the CSP header I currently implemented and works with latest StoryLine (the plus side, it will also block StoryLine's telemetry so you don't have to manually uncheck the privacy checkbox in every install);
Especially the script-src part is wide open (and the most important part of CSP in the first place IMHO). Removing all inline JS and especially removing all eval in the JS would already make me a lot happier :)
Injecting into iFrames is understandable. That could easily be an option when exporting, and adjusting the CSP header accordingly.
The thing is that I think a lot of implementations will upload StoryLine content through websites (to publish e-learning content) and that these headers might be able to save you from some nastiness along the way.
Hi, has there been an update to this issue since 2019? We are running into these issues today and are looking to see if there has been any action on this topic recently.
We would be looking for the following vulnerabilities to be resolved.
Common vulnerabilities found in code: 1) Use of Inline javascript functions 2) Use of Inline styles 3) Use of inline click event handlers and javascript: URIs 4) Use of styles in javascript files 5) Use of SVG tags to set dimensions in javascript files
Here is one example. Inline javascript and styles (highlighted) contained in index.aspx pages
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
7 Replies
Hello there! Currently, CSP is not on our roadmap as a general solution. We know customers insert iframe elements, for example, and we don't want to broadly prevent using external content.
We're happy to hear more about your concerns and ideas, however! Thanks for sharing.
Well, CSP is variable, so at least removing all inline JS and not using eval would already make it a lot better (also when considering performance!).
For anyone else bumping into this thread, this is the CSP header I currently implemented and works with latest StoryLine (the plus side, it will also block StoryLine's telemetry so you don't have to manually uncheck the privacy checkbox in every install);
"default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;media-src 'self' data:;font-src 'self' data:;" :
Especially the script-src part is wide open (and the most important part of CSP in the first place IMHO). Removing all inline JS and especially removing all eval in the JS would already make me a lot happier :)
Injecting into iFrames is understandable. That could easily be an option when exporting, and adjusting the CSP header accordingly.
The thing is that I think a lot of implementations will upload StoryLine content through websites (to publish e-learning content) and that these headers might be able to save you from some nastiness along the way.
Hi, has there been an update to this issue since 2019? We are running into these issues today and are looking to see if there has been any action on this topic recently.
Hi Kathy, and welcome to the E-Learning Heroes community! ✨
I apologize for the issues you are experiencing in Storyline 3 with CSP.
Are you specifically interested in removing all inline JavaScript, or something else?
This is a current feature request, and I will be sure to update the thread if it should make it onto our feature roadmap!
Hi Andrea,
Thank you for your response.
We would be looking for the following vulnerabilities to be resolved.
Common vulnerabilities found in code:
1) Use of Inline javascript functions
2) Use of Inline styles
3) Use of inline click event handlers and javascript: URIs
4) Use of styles in javascript files
5) Use of SVG tags to set dimensions in javascript files
Here is one example.
Inline javascript and styles (highlighted) contained in index.aspx pages
Please let me know if this helps.
Thanks,
Kathy
Hi Kathy!
Thank you for sharing those additional details with us.
I have created a feature request on your behalf. We will be sure to update you if this makes it onto our feature roadmap!
Thank you.
U.S. BANCORP made the following annotations
---------------------------------------------------------------------
Electronic Privacy Notice. This e-mail, and any attachments, contains information that is, or may be, covered by electronic communications privacy laws, and is also confidential and proprietary in nature. If you are not the intended recipient, please be advised that you are legally prohibited from retaining, using, copying, distributing, or otherwise disclosing this information in any manner. Instead, please reply to the sender that you have received this communication in error, and then immediately delete it. Thank you in advance for your cooperation.
---------------------------------------------------------------------