A reasonable CSP (Content Security Policy) for shiny applications

I want to keep my shiny applications secure and reduce the risk of cross-site-scripting, and other code injection attacks.

I understand that defining a strict CSP can mitigate such risks; however, it also breaks the functionality of shiny.
I tried using a CSP header of script-src 'self';but it breaks shiny's functionality. Using script-src 'self' 'unsafe-inline' 'unsafe-eval'; works, but from what I read, I presume it is too vulnerable.

What would be a reasonable CSP that actually works?

I'm using shiny server (open source) v1.5.12.933, and Nginx/1.14.0.

I'm having the same issue. Does anyone have an answer to this question ?

I was just at the posit::conf and completely forgot to ask this. @winston do you have an idea who can help with this?

This topic was automatically closed 54 days after the last reply. New replies are no longer allowed.

If you have a query related to it or one of the replies, start a new topic and refer back with a link.