RUM without setting CSP 'unsafe-inline'?

[jbuck]

Thank you for enabling RUM for the Node agent! It's working great, and we're getting tons of data.

The only downside to enabling RUM is that you can't use it with CSP unless you also allow 'unsafe-inline'. This removes one of the key protections against XSS attacks. I know that CSP 1.1 will solve this in the future by letting you set integrity hashes, but that's probably not going to be available widely for another year or so.

For those of us that want the security of CSP combined with the information that newrelic provides, would it be possible to split the configuration and javascript? As a strawman, if you called newrelic.getBrowserTimingConfig() in your view, it would output:

<script type="application/json" id=newrelic_browser_timing_config">
{
  ... config goes here...
}
</script>

And then you have newrelic.getBrowserTimingAgent() which provides a URL to load it, maybe?

<script src="{{ newrelic.getBrowserTimingAgent() }}"></script>

Anyways, however it's possible, I'd love newrelic and CSP to co-exist.

[groundwater]

Hi @jbuck I had a chat with our browser team about this.

Unfortunately the browser agent will not be compatible with CSP until version 1.1. My understanding is that the timing and instrumentation of the browser agent is sensitive enough that loading via a script would disrupt the accuracy of the info.

There is also a lot of request-specific information loaded in the inlined script. There may be a workaround where you generate the header, store it in another route, then load that as an external script. I can't say if this would even work, and the use case probably wouldn't be recognized by our support team.

Anyways, sorry we can't find a better solution. I'm sure our browser team would love to support CSP as-is, but it would seriously degrade the experience and accuracy of the agent.