wrongecho
commented
3 weeks ago Bumping this from Project board to an issue. Would appreciate any help with this. Have started on some specific client portal pages but this seems to break things like TinyMCE.
It'd be fantastic (but probably a lot of work) to get this implemented in the main ITFlow app.
Content Security Policies tell the browser to restrict where resources, like Javascript, are loaded from. They are a good defense against cross-site scripting (XSS) attacks.
We should try to move towards a CSP of at least
default-src 'self'. Ideally addingobject-src 'none'but these would require that we don't use Javascript in-line, but load it properly via scripts with hashing/nonces.https://content-security-policy.com/faq/ https://content-security-policy.com/strict-dynamic/ https://content-security-policy.com/nonce/
Until we can add this as part of the header includes, we'll have to track individual pages that can and can't have CSP applied:
General (main app)
Client Portal
Guest Views
Misc