View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
12569 | Feature requests | Security | public | 2017-08-04 12:36 | 2021-03-08 19:44 |
Reporter | Assigned To | c_schmitz | |||
Priority | none | Severity | @60@ | ||
Status | closed | Resolution | won't fix | ||
Summary | 12569: Content-Security-Policy (CSP) HTTP response header absent | ||||
Description | See https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP . This header can potentially disarm a range of client-side attacks. A manual nginx setting | ||||
Tags | No tags attached. | ||||
Bug heat | 254 | ||||
Story point estimate | |||||
Users affected % | |||||
I don't currently see how the average user would be able to handle that. I don't see an easy way to implement that right now. So what do you suggest? |
|
It is indeed a good practice to return a Content-Security-Policy header as it prevents different types of XSS attacks. IMHO you have two way of implementing this:
Here is what we use on our server: Here is what it means:
(The last one could be made less strict if people need to include images from other domains.) Allowing inline scripts and eval is not very secure but disallowing them breaks some parts of LimeSurvey :/ It's also a good idea to define the following headers: |
|
This won't be implemented as we consider this to be a server-side setting. |
|
Date Modified | Username | Field | Change |
---|---|---|---|
2017-08-04 12:36 |
|
New Issue | |
2017-10-06 16:24 | c_schmitz | Assigned To | => c_schmitz |
2017-10-06 16:24 | c_schmitz | Status | new => feedback |
2017-10-06 16:24 | c_schmitz | Note Added: 44548 | |
2018-02-15 12:18 | c_schmitz | Project | Bug reports => Feature requests |
2018-03-14 15:57 | Rudloff | Note Added: 47041 | |
2021-03-08 19:44 | c_schmitz | Status | feedback => closed |
2021-03-08 19:44 | c_schmitz | Resolution | open => won't fix |
2021-03-08 19:44 | c_schmitz | Note Added: 62904 |