CometChat with Content Security Policy

My application has a strict security requirement that requires Content Security Policy to be implemented across the entire site to whitelist JavaScript (amongst other things such as frames and such) as a proactive XSS prevention measure. I'm having difficulty integrating CometChat with the application as the code loaded by cometchat/cometchatjs.php appears to inject HTML elements with inline event handlers like onmouseout which is prohibited by Content Security Policy: script-src 'nonce-randomstring' 'self'; default-src 'self'; style-src 'self' 'unsafe-inline'; img-src *; frame-ancestors 'self' I don't have the latest version of CometChat but if the latest version still uses inline scripts then it won't work with the security policy and I will have to explore other solutions.

Comments

  • Hello cb61, We will try to address this concern in our next release v 6.4.0 unfortunately, this is known and we can improve it in our next release. Regards, Mike D CometChat
  • Excellent to hear. I'm also seeing occasional violations of `unsafe-eval` but I'm not sure how that affects CometChat if enforced. That is a definite deal-breaker for me if I need that directive. I look forward to seeing the new release and hopefully it will be fixed.
  • Hello cb61, We will surely try to improve things in our next release. We would like to thank you for your patience and support. Regards, Mike D CometChat
  • Hello, Is there any estimate on when the next release (v6.4.0) will be available? According to the comment on https://forum.cometchat.com/discussion/comment/592/#Comment_592, there seemed to be plans for release by the end of February however we are now approaching mid-March now. More importantly, has the Content Security Policy issue been fixed with v6.4.0? Thanks,
  • Hello, We are aiming to launch v6.4.0 by the end of next week. Regards, Mike CometChat
  • when is the update really available?
  • Has this issue been fixed in the latest version?
  • Hi, We have tried to fix all possible issues with our new release. We would welcome your suggestions and will try to include that in our new release. Regards, Mike CometChat
  • In order to fix the Content Security Policy issue you must ensure that there are no inline scripts in the generated/injected HTML code. All event listeners must be done using JavaScript. For example: Inline event handler (this will fail the policy, and appears to be what is being generated by the code right now):
    <div id='x' onmouseover='doSomething();'></div>
    Proper way with pure JavaScript:
    document.getElementById('x').addEventListener('mouseover', function () {
        doSomething();
    });
    Proper way using jQuery:
    $('#x').on('mouseover', function () {
        doSomething();
    });
    I am unsure of the complexity of the code as well as plugins so it may be more involved than that, however CometChat is one of the biggest issues in my application to deal with regarding implementing CSP so it would be really appreciated to get this fixed promptly so I can upgrade.
  • Hi, I have requested for a solution from my team. Will get back to you shortly. Regards, Mike CometChat
  • Hi Mike, Has your team been able to implement a solution yet? Thanks,
  • We have upgraded CometChat to 6.8.3 recently and it seems to have gotten worse. I noticed in the changelog for 6.9.8 there is an item listed as "Fixed issue with XSS vulnerability". Can your team try to fix the issues with inline/eval code so that sites using a secure CSP can integrate CometChat?
  • Hi, please raise a support ticket so that our team can have a look at your issue.

Leave a Comment