CookieBot not working on security hardend website (concerning Content Security Policy)

akquinet

• August 01, 2018 14:51

Dear Sirs and Madams,

we have encountered a problem with CookieBot, when running on security hardened webseites.

To secure our website against Cross Site Scripting attacks we defined commonly used "Content Security Policy" Headers. This helps to controls, e.g. which script can be loaded from what locations and in this case: prevent the danger of scripts loading scripts afterwards (uncontrolled by us) on their own.

CookieBot is NOT able to run, with this security setup.
This prevents other Scripts that rely on cookies, to work (e.g. tracking code).
I guess, we are not the only company, who want's to take care of the content and scripts we deliver and to prevent danger from us and from our website visitors.

Can you please write a statement, if you are planning to update your product or you require your customers to open their websites to hacking issues.


=== Details ===
Following up are more technical details.

Please take a look at https://www.akquinet.de
If you open it cleared cookies, the popup appears. Choosing "use necessary cookies only" works. Option "Allow all cookies" results in a failure (see browser developer tools)

    uc.js:1 Refused to load the script 'https://consentcdn.cookiebot.com/consentconfig/....state.js' because it violates the following Content Security Policy directive: script-src www.google-analytics.com https://cdn.jsdelivr.net https://consent.cookiebot.com 'self'

It appears to be on inserting a new script source:
    ParentNode, insertBefore... : <script type="text/javascript" charset="UTF-8" async="" src="https://consentcdn.cookiebot.com/consentconfig/..../state.js"></script>

An issue on the same topic with an "eval()" statement in CookieBot code seems to be disappeared over the last weeks :)

If you need further information, please let me know.

Kind Regards,
Daniel Suess

3

• 

  Michael

  • November 23, 2018 10:11

  Hi,

  I've the same problem.

  Do you find a solution to make it work ?

  Thanks for your feedback :)

  0
• 

  Hugo Wood

  • April 03, 2019 13:03

  Hello,

   

  We have this problem too. Any luck with a solution?

  0
• 

  Michael

  • April 03, 2019 13:11

  Hi, you need to edit the HTACESS FILE.

  You need to add this :

  Header set Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' *.cookiebot.com *.googletagmanager.com *.googleapis.com *.stripe.com *.google-analytics.com *.typekit.net *.wp.com *.facebook.com *.facebook.net *.instagram.com *.twitter.com *.pinterest.com *.linkedin.com; media-src 'self' blob:; base-uri 'self';"

  Hope it help :)

  I never have good feedback from the Cookies Bot team :(

  I found the solution by my own ...

   

  0
• 

  Hugo Wood

  • April 05, 2019 09:51

  Thanks for your response. We ended up using 'unsafe-inline' 'unsafe-eval' too but it lessens the security benefits of CSP quite a bit. :(

  0
• 

  Martin Byrne

  • September 14, 2020 14:03

  We have the same issue - and a client is saying they may have to abandon Cookiebot if it can't be resolved.  Hopefully we'll find a way around using unsafe-eval.

  0
• 

  piyush khullar

  • August 25, 2021 14:43

  Any solution for it?
  this is happening in customized cookie banner also. showbanner function call is using eval(). 

  0
• 

  Sebbe Selvig

  • December 09, 2022 16:42
  • Edited

  I have a similar problem. I added nonce-* to restrict inline scripts, but the nonce value is not cloned correctly when cookiebot script is loading additional resources.

  This SO question has info about it: https://stackoverflow.com/questions/55670985/google-chrome-stripping-nonce-values-from-script-tags

  0

Please sign in to leave a comment.