Impact
When the following conditions are met:
- Automated CSP headers generation for SSR content is enabled
- The web application serves content that can be partially controlled by external users
Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts.
Patches
Available in version 1.3.0 .
Workarounds
- Do not enable CSP headers generation.
- Use it only for dynamically generated content that cannot be controlled by external users in any way.
References
Are there any links users can visit to find out more?
Impact
When the following conditions are met:
Then it is possible that the CSP headers generation feature might be "allow-listing" malicious injected resources like inlined JS, or references to external malicious scripts.
Patches
Available in version 1.3.0 .
Workarounds
References
Are there any links users can visit to find out more?