Closed bgatellier closed 7 years ago
javiereguiluz
commented
7 years ago @bgatellier thanks for initiating this discussion. Undoubtedly it's a very important topic. The problem I have with CSP is that I love it in theory and I hate it in practice. It complicates everything so much! I don't know when ... but eventually we'll make this bundle CSP-compliant.
javiereguiluz
commented
7 years ago I've added Make the bundle CSP-compatible in the list of future features of this bundle. This is the list of things that we'll do, but not in the short term. It allows us to clean the Issues backlog closing issues that won't be fixed immediately. In any case, I assure you that we won't forget about this feature (I'm very interested in it). Thanks!
ndench
commented
6 years ago @javiereguiluz do you have a plan of attack for how you would implement this? I'd like to help out, from a quick look around it appears that most of the inline <script> tags could be moved to javascript files without a problem. Although there are a few script blocks that use twig (eg. to get the search query).
Hello,
Content Security Policy (CSP) is an added layer of security that helps to detect and mitigate certain types of attacks, including Cross-Site Scripting (XSS) and data injection attacks (MDN documentation).
The incoming Symfony 3.2 will take into account this layer (related PR), so I was wondering if it can also be a new feature for EasyAdmin.
In order to have a complete protection again XSS and data injection attacks, inline CSS and JavaScript codes are forbidden. These codes have to be loaded from external files. From what I can quickly see in the EasyAdmin source code, 5 templates files are concerned by these changes. The changes that has to be done are:
Regards,