#5813 - Potentially risky wildcard default-src CSP set on several pages

By PDStig
Added 26th Jul 2024, 9:18 PM
12 views

Identifier	#5813
Issue type	Minor issue (breaks specific functionality)
Title	Potentially risky wildcard default-src CSP set on several pages
Status	Open
Tags	Roadmap: v11 (custom)
Handling member	Chris Graham
Version	11 beta1
Addon	core
Description	default-src * data: blob: 'unsafe-inline' is being set on many pages. This might be quite risky especially without a nonce.
Steps to reproduce
Funded?	No

The system will post a comment when this issue is modified (e.g., status changes). To be notified of this, click "Enable comment notifications".

Rating

Unrated

Comments

By Guest posted 26th Jul 2024, 9:18 PM

Automated message: This issue was created using the Report Issue Wizard on the Composr homesite.

By Guest posted 26th Jul 2024, 9:22 PM

Possible this may be because of "Permit no JavaScript nonce for injected scripts", which honestly should be disabled by default IMO and users instructed to enable it only if they must for third-party libraries that need it.

By Guest posted 26th Jul 2024, 9:29 PM

This seems to be happening on a lot of the add and edit screens. Other screens have the proper headers.

By Guest posted 4th Sep 2024, 5:49 PM

This was mainly a WYSIWYG issue, fixed in 11 beta2, but I still see it on some other screens. Leaving the issue open for now.

#5813 - Potentially risky wildcard default-src CSP set on several pages

Rating

Comments

Statistics