Add support for CSP #909

jvoisin · 2019-03-21T20:07:36Z

It would be amazing to have CSP support in Airsonic, since it's not uncommon to find XSS in airsonic/subsonic/libresonic/… codebases.
Unfortunately, it's non-trivial to make the codebase compliant.

Get rid of <input type="button" onclick="location.href='XXX'"> (Remove inline javascript on the cancel buttons #945)
Try to move inline javascript into dedicated files
If moving all the javascript to dedicated files isn't possible, investigate the usage of nonces
Try to eradicate the usage of eval
- It's used in prototype.js Get rid of prototype.js #1094

The text was updated successfully, but these errors were encountered:

jvoisin · 2019-04-10T21:26:05Z

For nonces we would have to generate a random string per request, and shove it into each <script> as well as in a header.

@muff1nman do you know how this could be done in Spring?

This was referenced Mar 21, 2019

First pass of CSP-compliance for mousetrap #910

Merged

Fancyzoom is non-free #911

Closed

jvoisin mentioned this issue Mar 31, 2019

Remove inline javascript on the cancel buttons #945

Merged

jooola added the type: enhancement-closed What was previously labeled enhancement. For archiving. Will be organized later. label Apr 2, 2019

jvoisin added this to the 11.0.0 milestone Apr 28, 2019

jvoisin mentioned this issue Jun 6, 2019

Get rid of prototype.js #1094

Closed

jvoisin self-assigned this Jun 6, 2019

openscallion mentioned this issue Apr 30, 2020

Add support for CSP airsonic-advanced/airsonic-advanced#270

Open

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for CSP #909

Add support for CSP #909

jvoisin commented Mar 21, 2019 •

edited

Loading

jvoisin commented Apr 10, 2019

Add support for CSP #909

Add support for CSP #909

Comments

jvoisin commented Mar 21, 2019 • edited Loading

jvoisin commented Apr 10, 2019

jvoisin commented Mar 21, 2019 •

edited

Loading