-
- Site: [https://all-sorns.app.cloud.gov](https://all-sorns.app.cloud.gov)
**New Alerts**
- **Absence of Anti-CSRF Tokens** [10202] total: 2:
- [https://all-sorns.app.cloud.gov](https://all-…
-
### Describe the bug
When creating a new Sveltekit project from the demo template and configuring CSP rules that disallows inline styles you get a CSP violation on the #svelte-announcer element which…
-
### Describe the problem
SvelteKit doesn't really work with `strict-dynamic` CSP, at least not when using hashes. There seem to be some non-intuitive requirements (you have to use `modulepreload`?), …
-
My interpretation of CSP level 2 was always that child-src applied both to the (at that time) deprecated frame-src context and added web workers. I personally only use one web worker and it is served …
-
# 🌱 Feature Request
## Is your feature request related to a problem? Please describe.
As a solution similar to `helmet`, it would be beneficial for consumers to have similar defaults, so as to align…
-
It is possible to generate hashes for each inline script and expose them the same way as http2-push-manifest.
See:
- https://developer.mozilla.org/en-US/Add-ons/WebExtensions/manifest.json/content…
-
I'm wondering how a browser should parse a CSP that's `img-src 'none' https://example.com`. So far I see Chrome and Firefox dropping the `'none'`. Shouldn't they fail close and not allow any other sou…
-
Given the following policies
`CSP: script-src 'none'; style-src '*'; default-src 'none'`
`CSP: script-src '*'; style-src 'none'; default-src 'none'`
The current algorithm would allow prefetches.
…
-
The current description text for the result "csp-implemented-with-unsafe-inline" quite impossible to understand (unless you already know what it wants to tell you), as it uses quotation randomly :)
…
ghost updated
7 years ago
-
- Site: [https://sanduba-costumer-function.azurewebsites.net](https://sanduba-costumer-function.azurewebsites.net)
**New Alerts**
- **Content Security Policy (CSP) Header Not Set** [10038] total…