Closed radun2 closed 1 year ago
Also maybe this library would be of help for this feature request? https://github.com/NWebsec/NWebsec
This is being discussed in issue #4850 and is a much larger impact change for the platform than it may seem due to third-party modules and other factors.
We have detected this issue has not had any activity during the last 90 days. That could mean this issue is no longer relevant and/or nobody has found the necessary time to address the issue. We are trying to keep the list of open issues limited to those issues that are relevant to the majority and to close the ones that have become 'stale' (inactive). If no further activity is detected within the next 14 days, the issue will be closed automatically. If new comments are are posted and/or a solution (pull request) is submitted for review that references this issue, the issue will not be closed. Closed issues can be reopened at any time in the future. Please remember those participating in this open source project are volunteers trying to help others and creating a better DNN Platform for all. Thank you for your continued involvement and contributions!
This issue has been closed automatically due to inactivity (as mentioned 14 days ago). Feel free to re-open the issue if you believe it is still relevant.
This is still a security issue, I have not found any solution to this inline script that comes with DNN's login button
<a id="dnn_ctr_Login_Login_DNN_cmdLogin" title="Login" class="dnnPrimaryAction dnnDisabledAction" href="javascript:__doPostBack('dnn$ctr$Login$Login_DNN$cmdLogin','')">Login</a>
Tried nonce and unsafe-hashes and hash, no solution.
Problem login Was not able to solve this without adding unsafe-inline ERROR Refused to run the JavaScript URL because it violates the following Content Security Policy directive: "script-src 'self'
Based on DNN's answer this is definitely a product to be completely replaced.
Description of problem
I would like to create a CSP that doesn't include unsafe-inline: (eg: Content-Security-Policy: script-src 'unsafe-inline'). If set differently will not allow for starters Persona Bar to work and this is a block to enter edit mode and so on. DNN basically needs inline scripts to work and if asked to not have inline scripts it will break.
Description of solution
Use nonce on the tag scripts that are added by DNN for its functionality. https://content-security-policy.com/nonce/
Description of alternatives considered
Use sha256-... on tag scripts that are added by DNN for its functionality. https://content-security-policy.com/hash/
Screenshots
Not applicable
Additional context
Disallowing inline styles and inline scripts is one of the biggest security wins CSP provides. I expect the attack tools to adapt to weak CSPs, but it will mean a lot of common exploits are immediately off the cards, or harder.
Affected browser