Open darekjk opened 1 month ago
See also #2682
Issue #2682 is more about performance not security. I was meant about: Content Security Policy
The best (for me) is moving every inline script and style section into individual files,
so it will be still easy to maintain.
For example, inline script from AddProductToOrder.cshtml could be moved to file ~/js/Areas/Admin/Views/Order/AddProductToOrder.js
and replaced in cshtml file with:
<script src="~/js/Areas/Admin/Views/Order/AddProductToOrder.js"></script>
It's simplest even than implementing nonce attribute indetifier for every request and adding to every script section.
Secondly, every script section which uses external JS code, should have integrity attribute, for example:
https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity
<script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
Some useful info: About CSP by Google
nopCommerce version: up to 4.80.x
The solution uses inline scripts and styles. According to new best security practicies, inline scripts should be moved to external JS/CSS files to allow using Content Security Policy header with maximum protection to the application. Do You plan to move them in some future version?