search

google-code-export / webpasswordsafe

Automatically exported from code.google.com/p/webpasswordsafe
0 stars 3 forks source link

Implement Content Security Policy (CSP) with appropriate level of restriction #78

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
As an extra layer of protection against XSS/CSRF

Original issue reported on code.google.com by joshdrum...@gmail.com on 15 Mar 2013 at 2:10

GoogleCodeExporter commented 9 years ago 
Unfortunately the javascript code GWT compiles out to by default doesn't 
produce very CSP friendly code, so have to allow inline javascript and style, 
as well as eval.  Oh and Firefox doesn't use the standard W3C syntax yet.  So 
while its better than nothing, it isn't as restrictive as I would like, but 
since the application has been thoroughly tested for XSS vulnerabilities it is 
just a secondary layer.

Original comment by joshdrum...@gmail.com on 20 Mar 2013 at 7:25

GoogleCodeExporter commented 9 years ago

Original comment by joshdrum...@gmail.com on 20 Mar 2013 at 7:28