You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Basically it is about the fact that you can (and should) use your CSP to limit outgoing connections so even if malicious JS is injected (by third-parties, not by the server admin), you can be sure data is sent nowhere else.
Currently, because of the plan to do #2 this is useful, but this feature prevents this security enhancement.
So what can you do as an admin? (or what can we do to enable it by default?)
Just set connect-src to connect-src ''self'and add form-action 'none'; to prevent bypassing that… (BTW: I've added that form action thing in the latest master.)
That's it! As long as #2 is not implemented, all features should work.
The text was updated successfully, but these errors were encountered:
After reading https://medium.com/@david.gilbertson/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5, I've had a look at our CSP…
Basically it is about the fact that you can (and should) use your CSP to limit outgoing connections so even if malicious JS is injected (by third-parties, not by the server admin), you can be sure data is sent nowhere else.
So how is our CSP?
It explicitly allows these connections… 😢 (
connect-src *
)Currently, because of the plan to do #2 this is useful, but this feature prevents this security enhancement.
So what can you do as an admin? (or what can we do to enable it by default?)
Just set
connect-src
toconnect-src ''self'
and addform-action 'none';
to prevent bypassing that… (BTW: I've added that form action thing in the latest master.)That's it! As long as #2 is not implemented, all features should work.
The text was updated successfully, but these errors were encountered: