Allowance of Inline JavaScript poses a security risk

I recently configured Vaultwarden behind a Content Security Policy.
For Vaultwarden to work, you have to allow the execution of ‘unsafe-inline’ scripts.
At the same time this is a major security risk for the entire service.
I wonder why there’s no discussion about this because everyone should have that problem.
Probably without even realizing.

What are solutions?

Vaultwarden configures a CSP it self already.

The unsafe-inline for script-src is only active for the /admin panel and not the rest of the web-vault interface.

So, there shouldn’t be an issue using the web-vault is self.
Currently changing the admin interface to have on inline script isn’t a prio, so i do not think this will happen really soon.

Also, if you configure it your self, you probably overwrite the one from Vaultwarden, and you may miss CSP config’s to have the web-vault working correctly.

So if I put another CSP on top the two are going to be active at the same time?
Meaning that when I specify my script-src to allow unsafe-inline it will get cancelled by the Vaultwarden one (only on the Vault)?


You should not put a custom CSP your self.
I have no clue how setting one your self will affect the clients if it would any.

Just set no custom CSP.
If there are changes needed to the one built-in, let us know.