We added a ContentSecurityPolicy (CSP) to our NodeJs server as middleware to increase our security, but the Parse Dashboard appears to have inline script/styling which goes against CSP (see attached screenshot from a vendor).
This forces us to choose between accessing our dashboard without a secure policy in place and failing 3rd-party security checks, or securing our dashboard without being able to view it on the screen because it’s blocked by the browser content security policy.
Here are the options I see to resolve issue:
- Remove inline styling but I believe this requires editing Parse Dashboard (we were able to use a none to resolve script error)
- Copy each and every SHA256 hash that appears in the error from Parse Dashboard and insert the hash into our CSP/header, but there are 50+ I’m guessing and this is not scalable / manageable.
- Insert a custom nonce/hash near the Parse Dashboard’s markup style tags, but I don’t see how we can do that since I believe only Parse has control over that (maybe it’s possible?).
Anyone else experienced this / solved this?
