https://live.paloaltonetworks.com/t5/globalprotect-discussions/csp-unsafe-setting-detected-by-scanner-on-pa-lsvpn-gateway/m-p/580539#M5137 <P>Hi All-</P> <P>We have LSVPN configured and working.</P> <P>However, a recent security scan shows that Content Security Policy (CSP ) issue with the gateway default login script in PA.&nbsp;&nbsp;</P> <P>It complains about:</P> <P>&nbsp;</P> <P>script-src: self</P> <P>style-src: self</P> <P>&nbsp;</P> <P>Is there any suggestion on how this can be fixed?<BR /><BR />Thank you!</P> <P>&nbsp;</P> Fri, 15 Mar 2024 17:57:30 GMT MingIkehara 2024-03-15T17:57:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/csp-unsafe-setting-detected-by-scanner-on-pa-lsvpn-gateway/m-p/580539#M5137 <P>Hi All-</P> <P>We have LSVPN configured and working.</P> <P>However, a recent security scan shows that Content Security Policy (CSP ) issue with the gateway default login script in PA.&nbsp;&nbsp;</P> <P>It complains about:</P> <P>&nbsp;</P> <P>script-src: self</P> <P>style-src: self</P> <P>&nbsp;</P> <P>Is there any suggestion on how this can be fixed?<BR /><BR />Thank you!</P> <P>&nbsp;</P> Fri, 15 Mar 2024 17:57:30 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/csp-unsafe-setting-detected-by-scanner-on-pa-lsvpn-gateway/m-p/580539#M5137 MingIkehara 2024-03-15T17:57:30Z https://live.paloaltonetworks.com/t5/globalprotect-discussions/csp-unsafe-setting-detected-by-scanner-on-pa-lsvpn-gateway/m-p/581064#M5160 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/82111">@MingIkehara</a>&nbsp;,</P> <P>&nbsp;</P> <P>As far as I know this is a false positive alert.</P> <P>&nbsp;</P> <P><SPAN>How to check the presence of Response Security Headers in PAN-OS</SPAN><BR /><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HC9uCAG&amp;lang=en_US%E2%80%A9" target="_blank" rel="noopener">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000HC9uCAG&amp;lang=en_US%E2%80%A9</A><BR /><BR /><SPAN>Connection: keep-alive</SPAN><BR /><SPAN>Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; img-src * data:; style-src 'self' 'unsafe-inline';</SPAN><BR /><BR /><SPAN>Please NOTE, because we use inline scripts for multiple purpose/locations, there is no easy way to remove the unsafe-inline tag from the CSP header.</SPAN><BR /><BR /><SPAN>There is a feature request planned for PAN-OS which has no ETA as of yet as it requires Source code change.</SPAN><BR /><BR /><SPAN>This vulnerability is not considered as a threat, and we have Feature Request ID: 19173. </SPAN></P> <P data-unlink="true"><EM><STRONG>--EDIT: Updated FR ID:&nbsp;NSFR-I-28198&nbsp;--</STRONG></EM></P> <P>&nbsp;</P> <P><SPAN>By providing this Feature ID you can add your vote to it and check with your Account team when it is implemented.</SPAN></P> <P>&nbsp;</P> <P><SPAN>Kind regards,</SPAN></P> <P><SPAN>-Kim.</SPAN></P> Tue, 08 Apr 2025 15:58:21 GMT https://live.paloaltonetworks.com/t5/globalprotect-discussions/csp-unsafe-setting-detected-by-scanner-on-pa-lsvpn-gateway/m-p/581064#M5160 kiwi 2025-04-08T15:58:21Z