Open likehopper opened 3 years ago
There seem some more things to be prohibited by CSP:
compose_mail.tt2
, request_topic.tt2
and viewmod.tt2
.spam_protection
and/or web_archive_spam_protection
parameter as javascript
.Has the code been updated ?
How can we resolve the points I mentioned?
Hi @likehopper , Could you please apply the changes in PR above and check if the problem will be fixed?
The security requirements of web servers are increasing. From now it's recommended to have a "Content-Security-Policy" rule. And generally, it prohibits the execution of inline scripts (unsafe-inline).
However, in Sympa's pages, we have an innline script generated dynamically. And that prevents the menu from working.
For example these include:
Could you change it to call it from an external file?
Thanks, Vincent