gStart9
commented
1 year ago I believe you've fixed this issue here: https://github.com/Mirobit/bitcoin-node-manager/commit/2309e1c11abbfde4f0a931c99142b764017438d8 https://github.com/Mirobit/bitcoin-node-manager/commit/92cfb554304ab6a73840cbb96fbd4a94e1f7984b
Nice! Closing issue.
As mentioned here, every response from the server should have a Content-Security-Policy header set.
With regard to index.php's CSP: 'unsafe-inline' is not an appropriate content security policy for script-src (or any csp src directive, imo). All scripts should be explicitly loaded from .js files and CSP header's script-src directive set to 'self' only, to mitigate any malicious javascript injected into the page.