RichieB2B
commented
9 years ago There is also one case of inline CSS in app/View/Layouts/flash.ctp
Open RichieB2B opened 9 years ago
RichieB2B
commented
9 years ago There is also one case of inline CSS in app/View/Layouts/flash.ctp
iglocska
commented
9 years ago I am working on a solution for this but it will be a rather big overhaul. The big question now is whether to target 2.3 in a hotfix with this or go straight to 2.4.
RichieB2B
commented
9 years ago No rush as far as I'm concerned. It is in the "nice to have" security category.
iglocska
commented
9 years ago We'll do this after 2.4 then as an intermediary patch, I have a small proof of concept in the works on how to best resolve it, but it will be messy.
First of all a lot of the PHP -> JS connection happens in these lines (where we feed php variable data into JS variables), so this needs to be overhauled completely (for example by echoing the data as json into meta tags and having a JS loader for it).
There are more things that emit inline JS than at first visible (such as cakePHP postlinks). There is a PR for this open for cakephp itself, but I don't know when it will become a reality, so I think it's a good moment in time to abandon postlinks and just convert to our own ajax mechanism everywhere.
rotanid
commented
8 years ago related to #207
Several (small) javascript snippets are served inline from the ctp templates. If these are moved to external js files, a strict Content-Security-Policy can be used:
See https://www.owasp.org/index.php/Content_Security_Policy_Cheat_Sheet