search

textpattern / server-config

Configuration files for Textpattern project servers.
The Unlicense
2 stars 2 forks source link

CSP `base-uri` rule #34

Closed philwareham closed 5 years ago

philwareham commented 5 years ago

Although we don't use the <base> tag directly, we need to protect against malicious use of it.

Adding the following to our CSP will suffice:

base-uri 'self'

See example commit: https://github.com/textpattern/server-config/commit/d10d031a99660a15beb60f80d4a0c622fe10273d

petecooper commented 5 years ago

Closing - see commit above. Thanks for the indent fixed @philwareham !