-
### Core or SDK?
Platform/SDK
### Which part? Which one?
Browser JavaScript
### Description
Investigating integration of Browser Javascript to a website, one question I need to answer i…
-
CSP:EE spec defines [Effective Directive Value](https://w3c.github.io/webappsec-cspee/#effective-directive) as a static list of supported CSP directives. CSP:EE was written before Trusted Types and th…
-
### Work environment
| Questions | Answers
|---------------------------|--------------------
| Type of issue | Support
| OS version (server) | CentOS
| OS v…
-
Hi,
I noticed that some CSP directives reported by this extender are obsolete, and are reported by your tool. Is it possible to update this extender accordingly?
- 'referrer': https://developer.mo…
-
Critical: script-src with 'unsafe-inline' or 'unsafe-eval' and without a nonce found. That's dangerous, don't use it. If you really need one of these unsafe directives, add a nonce.
https://devel…
-
## Is your proposal related to a problem?
See #1288. Wagtail uses inline javascript and styles to provide useful feedback to the user. This causes conflicts with CSP directives.
This issue attem…
-
CSP currently has a few gaps that prevent it from being a useful anti-exfiltration mechanism. https://www.w3.org/TR/CSP3/#exfiltration hints that preventing data exfiltration may be a goal, but it's n…
-
Capturing that https://www.mapbox.com/mapbox-gl-js/api/#csp-directives should be updated.
The `child-src` directive is recommended, but it is deprecated and yields a warning when used in chrome and…
-
## Problem
I just re-read a recent ZAP report and stumbled [about this CSP warning](https://github.com/PrivateBin/docker-nginx-fpm-alpine/issues/69):
> The following directives either allo…
-
### What feature?
The application currently lacks a Content Security Policy (CSP), which increases the risk of cross-site scripting (XSS) and other injection attacks. Implementing a CSP is essential …