Closed coolemur closed 3 years ago
setting bnomei.securityheaders.seed
to null
or false
in config should do the trick.
https://github.com/bnomei/kirby3-security-headers/blob/f8ccb293666e6b25451d81b45dea0801e8bdfe10/index.php#L8 https://github.com/bnomei/kirby3-security-headers/blob/f8ccb293666e6b25451d81b45dea0801e8bdfe10/classes/SecurityHeaders.php#L135
Hello there
This plugin automatically adds nonce to headers. Is it possible to disable nonce in headers using csp loader?
'nonce-'
An allow-list for specific inline scripts using a cryptographic nonce (number used once). The server must generate a unique nonce value each time it transmits a policy. It is critical to provide an unguessable nonce, as bypassing a resource’s policy is otherwise trivial. See unsafe inline script for an example. Specifying nonce makes a modern browser ignore 'unsafe-inline' which could still be set for older browsers without nonce support.
Looks like 'unsafe-inline' doesn't work when nonce are present in headers. So without disabling nonce in headers 'unsafe-inline' option is not usable.
I know it's not a good idea to enable unsafe-inline, but sometimes inline scripts are generated by third parties.
Thank you