View Issue Details

This issue affects 1 person(s).
 254
IDProjectCategoryView StatusLast Update
20166Feature requestsSecuritypublic2026-02-24 11:33
ReporterRyszard Assigned Toc_schmitz  
PrioritynoneSeverityfeature 
Status newResolutionopen 
Summary20166: Missing Content-Security-Policy Header
Description

The application's responses did not identify a deployed Content-Security-Policy header.

A CSP can significantly complicate exploitation of the vulnerability.

It is recommended to consider implementing the Content-Security-Policy header.

Steps To Reproduce

Steps to reproduce

(Replace this text with detailed step-by-step instructions on how to reproduce the issue)

Expected result

(Write here what you expected to happen)

Actual result

(Write here what happened instead)

TagsNo tags attached.
Bug heat254
Story point estimate0
Users affected %0

Users monitoring this issue

There are no users monitoring this issue.

Activities

DenisChenu

DenisChenu

2025-07-10 09:14

developer   ~83054

We will look at the issue as soon as possible

DenisChenu

DenisChenu

2025-07-10 09:15

developer   ~83055

My opinion: can add CSP in administration
For public survey/theme : must be open : allow external video/image etc … for external JS : we need a solution to allow it by theme at minima, then maybe just add it in template ?

c_schmitz

c_schmitz

2025-12-08 10:43

administrator   ~83989

CSP can be set anytime by the webserver, there is no need to have this in LimeSurvey itself.

Issue History

Date Modified Username Field Change
2025-07-09 14:18 Ryszard New Issue
2025-07-10 09:13 DenisChenu Assigned To => c_schmitz
2025-07-10 09:13 DenisChenu Status new => assigned
2025-07-10 09:14 DenisChenu Status assigned => feedback
2025-07-10 09:14 DenisChenu Note Added: 83054
2025-07-10 09:14 DenisChenu Bug heat 256 => 258
2025-07-10 09:15 DenisChenu Note Added: 83055
2025-12-08 10:42 c_schmitz Project Bug reports => Feature requests
2025-12-08 10:43 c_schmitz Status feedback => new
2025-12-08 10:43 c_schmitz Note Added: 83989
2025-12-08 10:43 c_schmitz Bug heat 258 => 260
2026-02-24 11:33 c_schmitz Severity @50@ => feature
2026-02-24 11:33 c_schmitz Product Version 6.6.x =>
2026-02-24 11:33 c_schmitz View Status private => public
2026-02-24 11:33 c_schmitz Story point estimate => 0
2026-02-24 11:33 c_schmitz Users affected % => 0
2026-02-24 11:33 c_schmitz Bug heat 260 => 254