Closed skdzp closed 2 years ago
TatuLund
commented
2 years ago Is there anything planned to eleminate the necessity of
At this point of time we do not have plans for this in scope of Vaadin 8.
because this behaviour is unsafe?
In context of Vaadin it is not, because in bootstrap process the widgetset resource is hardwired
There is older ticket about the same topic: https://github.com/vaadin/framework/issues/5266
skdzp
commented
2 years ago At this point of time we do not have plans for this in scope of Vaadin 8.
And in context of Vaadin Flow is there something planned to handle CSP in a safe way?
In context of Vaadin it is not, because in bootstrap process the widgetset resource is hardwired
IMHO, also if the resources are hardwired only an all-over CSP header will solve the possible attack vector because the attack which will prevent the CSP header in combination with an modern browser is on client side.
TatuLund
commented
2 years ago And in context of Vaadin Flow is there something planned to handle CSP in a safe way?
There is no changes made in the current implementation. It is however documented as false positive, as the current implementation in context of Vaadin is actually safe. See
https://vaadin.com/docs/latest/flow/security/frequent-issues
skdzp
commented
2 years ago Ok. Thank you for your explanation.
Is there anything planned to eleminate the necessity of
as described in https://vaadin.com/docs/v14/flow/advanced/framework-security#content-security-policy-csp-set-to-unsafe-values because this behaviour is unsafe?