Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Lack of a CSP in lisk-desktop #5283

Closed
eniolam1000752 opened this issue Sep 1, 2023 · 0 comments
Closed

Lack of a CSP in lisk-desktop #5283

eniolam1000752 opened this issue Sep 1, 2023 · 0 comments
Assignees
@eniolam1000752
Labels
type: bug
Milestone
Sprint 107

Comments

@eniolam1000752
Copy link
Contributor

Actual behavior

Partially resolved in PR #5151. While this PR adds a CSP, the script-src directive is set to 'self' 'unsafe-inline' 'unsafe-eval'. This makes the CSP useless against XSS attacks. We recommend avoiding inline scripts if possible (and removing 'unsafe-inline' 'unsafe-eval'). If this is not possible, use a nonce- or hash-based approach. See Mozilla's Content-Security-Policy documentation for more information.
@eniolam1000752 eniolam1000752 added this to the Sprint 107 milestone Sep 1, 2023
@eniolam1000752 eniolam1000752 self-assigned this Sep 1, 2023
@eniolam1000752 eniolam1000752 mentioned this issue Sep 4, 2023
Merged
@ManuGowda ManuGowda changed the title TOB-LISK-55: Lack of a CSP in lisk-desktop TOB-Lack of a CSP in lisk-desktop Sep 4, 2023
@ManuGowda ManuGowda changed the title TOB-Lack of a CSP in lisk-desktop Lack of a CSP in lisk-desktop Sep 5, 2023
@sridharmeganathan sridharmeganathan mentioned this issue Sep 12, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@eniolam1000752 eniolam1000752

Labels
type: bug
Projects
No open projects
Lisk Desktop Version 3.0.0
Status: Done
Milestone
Sprint 107
Development

No branches or pull requests
1 participant
@eniolam1000752