Enhancement
Harden content security policy
Issue description
Currently topincs uses inline scripts. These are considered harmful. See if we can do without.
Developer comments
In particular we use unsafe-inline and unsafe-eval. Hmm.
Prohibiting inline JavaScript completely would mean a lot of changes and increasing the number of HTTP requests. Thus hash or nonce might be a better option.
Not sure why the browser cannot distinguish a script tag that is embedded in the HTML source (and thus should be considered as 'self') from one that is created from an alternate source in case of a client processed reflected attack. Possibly that this applies to server processed reflected attacks mainly.
Maybe 'strict-dynamic' is of help.
|
Work sessions
Start |
2021-08-13T19:04:20
|
End |
2021-08-13T19:46:29
|
Participant |
Robert Cerny
|
|
We are sorry
This page cannot be displayed in your browser. Use Firefox, Opera, Safari, or Chrome instead.