Hello, my first post here.
I've tried with 3.0.8 to use CSP however due to the amount of inline scripts and inline events, this causes features to break. eg. The bold/i/u/quote bar and smilies.
The CSP I used was: allow 'self'; img-src *; script-src 'self' https://api-secure.recaptcha.net https://www.google.com; report-uri https://mysite.org/csp.php
Proposal:
Convert inline scripts into external scripts <script src="
Convert inline events using something like: element.onclick = someFunction; or element.addEventListener("click", someFunction, false);
Use the above for javascript links as well. <a href="javascript: (I haven't seen any of these).
References:
https://developer.mozilla.org/en/Introd ... ity_Policy
Result:
Web Admins can enable CSP and gain an additional layer of protection against XSS and clickjacking/ui-redressing attacks.
[RFC] Content Security Policy Compatibility
Re: [RFC] Content Security Policy Compatibility
Is all inline javascript disallowed? This seems too hard of a requirement.
The event stuff will be easier if we have a js framework taking care of it (viewtopic.php?f=108&t=33747).
The event stuff will be easier if we have a js framework taking care of it (viewtopic.php?f=108&t=33747).
Re: [RFC] Content Security Policy Compatibility
I'd say that's a pretty good idea, and certainly not a problem from a technological perspective.nn- wrote:Is all inline javascript disallowed? This seems too hard of a requirement.