Open ghost opened 7 years ago
april
commented
7 years ago For reference, this is the current text:
Content Security Policy (CSP) implemented unsafely.
This includes 'unsafe-inline' or data: inside script-src, overly broad sources such as https: inside object-src or script-src, or not restricting the sources for object-src or script-src.
april
commented
7 years ago The issue with putting quotes around 'https:' and 'data:' is that it could be confusing since CSP doesn't use quotes for them, unlike 'unsafe-inline'. This is why the web UI has highlighting for the specific terms.
ghost
commented
7 years ago well, I believe people are not stupid and they will figure out how to match the keywords from the text with those available, especially because they need to lookup their options anyways. However, you don't need to be stupid to have a hard time reading sentences that are grammatically awkward ^^
The first time reading the sentence I was sitting quite some time trying to understand it. Had to google available keywords to find out whether there something is grammar issue or if it is a keyword. First I thought the sentence was totally random. Once fully understood the sentence it did not appear that bad anymore :D
You are right with highlighting it is totally okay to read. Just from the local scanner text output it is hard to add the highlighting afterwards. It needs additional post-processing just to fix it. And search-replace is not the most stable solution (although the one I'm probably going for then). Also it depends on the output format if highlighting is possible (think about JSON/CSV export). But I understand that it can either be good for the web UI or for the local scanner output but not be perfect for both.
The current description text for the result "csp-implemented-with-unsafe-inline" quite impossible to understand (unless you already know what it wants to tell you), as it uses quotation randomly :)
May I suggest the following enhancement:
I'd even recommend a more compact version:
best regards!