Discussion Feed
03-16-2018
12:28 AM
Awesome!
Thank you for your clarification and pointing out the potential pitfalls of this approach.
... View more
03-14-2018
03:51 AM
Thanks for your reply once again, Amit.
We are looking to use this technique to allow inline script: https://www.w3.org/TR/CSP2/#script-src-hash-usage
The steps are as follows:
1) Turn on appdynamics EUM
2) Check webpage and copy entire injected <script> block's contents
3) Compute sha-512 hash of the (2)
4) Configure AP to add this static CSP http header, with hash computed in (3), to every page served like such:
Content-Security-Policy: script-src 'sha512-YWIzOWNiNzJjNDRlYzc4MTgwMDhmZDlkOWI0NTAyMjgyY2MyMWJlMWUyNjc1ODJlYWJhNjU5MGU4NmZmNGU3OAo='
Using this method, any changes in the injected <script> block's contents will break our CSP whitelist, as browser will disallow non-whitelisted javascript.
We would like to know if these block is subjected to changes, assuming we do not modify the configuration of Browser Application via the appdynamics dashboard. Possible changes that we thought of are JS logic changes or auto version up of adrum.ext.hash.js etc.
I hope I was able to explain it clearer this time! Thank you!
... View more
03-11-2018
11:18 PM
Thanks Amit, appreciate your quick reply. I understand what you are saying and it clarified my second question. Could you also comment on my first question?
This is important to us because we are looking to whitelist script src in CSP by hashcode, so any changes to the injected <script> block will render this the setting invalid.
Will the injected script block change, i.e. JS logic updated or just a change of filename for adrum.ext. hash .js, thereby making my pre-computed hashcode invalid?
Thank you once again.
... View more
03-11-2018
10:06 PM
1 Kudo
Hello everyone. I have read this article but I have some concerns. Would appreciate any help!
For context, our current configuration is as follows:
Browser Application (EUM)
Configuration - Configure and download JavaScript Agent - AppDynamics hosts all JavaScript Agent files from cdn.appdynamics.com
Application
Configuration - User Experience App Integration - JavaScript Injection
Automatic JavaScript injection - DISABLED
Configure JavaScript injection - MyJavaClassAndMethodRule - ENABLED
With this, my pages are injected with a large script block that also loads adrum.ext.hash.js
Now for CSP, we want to be more restrictive and do not want to enable ` unsafe-inline`.
We would like to whitelist the JS file(s) to be loaded and also the injected script block by hashcode.
My questions are:
Will the injected script block change, i.e. JS logic updated or just a change of filename for adrum.ext. hash .js, thereby making my pre-computed hashcode invalid?
The injected script block is significantly different from the generated one from Browser Application [ Configuration - Configure and download JavaScript Agent - Save Config & Generate HTML Snippet]. Why is that so and how do I control the script block that is injected?
Thank you so much for reading!
... View more
Latest Activity
- Got a Kudo for Configuring CSP for EUM injection. 04-17-2019 08:46 AM
- Posted Re: Configuring CSP for EUM injection on End User Monitoring (EUM). 03-16-2018 12:28 AM
- Kudoed Re: Configuring CSP for EUM injection for Amit.Jha. 03-16-2018 12:26 AM
- Posted Re: Configuring CSP for EUM injection on End User Monitoring (EUM). 03-14-2018 03:51 AM
- Posted Re: Configuring CSP for EUM injection on End User Monitoring (EUM). 03-11-2018 11:18 PM
- Tagged Configuring CSP for EUM injection on End User Monitoring (EUM). 03-11-2018 10:07 PM
- Tagged Configuring CSP for EUM injection on End User Monitoring (EUM). 03-11-2018 10:07 PM
- Tagged Configuring CSP for EUM injection on End User Monitoring (EUM). 03-11-2018 10:07 PM
- Posted Configuring CSP for EUM injection on End User Monitoring (EUM). 03-11-2018 10:06 PM
Community Stats
Date Registered | 03-11-2018 09:30 PM |
Date Last Visited | 03-17-2018 12:29 AM |
Total Messages Posted | 4 |
Total Kudos Received | 1 |