Site is currently vulnerable to cross site scripting attacks (xss)

Polkadex-Substrate / Polkadex-Open-Beta

12 stars 3 forks source link

Site is currently vulnerable to cross site scripting attacks (xss) #204

Open jaymansfield opened 2 years ago

jaymansfield commented 2 years ago

By raising this issue, I agree to the terms and conditions presented by Polkadex here:Terms and Conditions

Missing security header X-XSS-Protection

The X-XSS-Protection HTTP header instructs the browser to stop loading web pages when they detect reflected Cross-Site Scripting (XSS) attacks. Lack of this header exposes application users to XSS attacks in case the web application contains such vulnerability.

onchainaddress:{esm99RRxKvainDsRR6UHRcju4vNnAw1ouZEw64Yfn12tc6HpQ}

mastervalidator commented 2 years ago

Quoted from Mozilla: "These protections are largely unnecessary in modern browsers when sites implement a strong Content-Security-Policy that disables the use of inline JavaScript ('unsafe-inline')" already suggested in #183 , also in some cases, X-XSS-Protection can create XSS vulnerabilities in otherwise safe websites. See the section below for more information: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-XSS-Protection

jaymansfield commented 2 years ago

Just want to make sure XSS is taking into consideration.

While #183 mentioned the Content-Security-Policy header, it didn't specify to add the unsafe-inline attribute to stop XSS, and only referred to MIME Sniff attacks