View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 5813 | Composr | core | public | 2024-07-27 01:18 | 2024-09-04 21:49 |
| Reporter | PDStig | Assigned To | Chris Graham | ||
| Priority | high | Severity | minor | ||
| Status | assigned | Resolution | open | ||
| Product Version | 11.beta1 | ||||
| Summary | 5813: Potentially risky wildcard default-src CSP set on several pages | ||||
| Description | default-src * data: blob: 'unsafe-inline' is being set on many pages. This might be quite risky especially without a nonce. | ||||
| Tags | Roadmap: v11 | ||||
| Attach Tags | |||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Automated message: This issue was created using the Report Issue Wizard on the Composr homesite. |
|
|
Possible this may be because of "Permit no JavaScript nonce for injected scripts", which honestly should be disabled by default IMO and users instructed to enable it only if they must for third-party libraries that need it. |
|
|
This seems to be happening on a lot of the add and edit screens. Other screens have the proper headers. |
|
|
This was mainly a WYSIWYG issue, fixed in 11 beta2, but I still see it on some other screens. Leaving the issue open for now. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-07-27 01:18 | PDStig | Tag Attached: Roadmap: v11 | |
| 2024-07-27 01:22 | PDStig | Note Added: 0008986 | |
| 2024-07-27 01:29 | PDStig | Note Added: 0008987 | |
| 2024-07-27 01:29 | PDStig | Assigned To | => Chris Graham |
| 2024-07-27 01:29 | PDStig | Status | Not Assigned => Assigned |
| 2024-07-27 01:29 | PDStig | Summary | Potentially risky wildcard default-src CSP set on several pages => Potentially risky wildcard default-src CSP set on several pages |
| 2024-09-04 21:49 | PDStig | Note Added: 0009262 |
