search

CyberDeck / devise-fido-u2f

A devise module to authenticate additionally with a FIDO U2F hardware token, e.g. a Yubico USB security key.
MIT License
36 stars 4 forks source link

devise-fido-u2f produces in-line javascript and style in its views which is requires an 'unsafe-inline' Content Security Policy #12

Closed brianewell closed 5 years ago

brianewell commented 6 years ago

Content Security Policy is an added layer of security that helps to detect and mitigate certain attacks, including Cross Site Scripting and data injection attacks.

I found that a CSP default policy of self was incompatible with the devise-fido-usf gem because of the gem's use of inline Javascript and CSS within the following views:

I'm going to fork the project and give fixing this a shot.

CyberDeck commented 5 years ago

Hi @brianewell,

I fixed the templates to cope with the latest Content Security Policy stuff for Rails 5.2. The Example App was fixed as well. Please have a look at the Example App to see how it can be implemented with a default policy of self.