Skip to content

marschall/CSP-Hack

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
src
src
 
 
.gitattributes
.gitattributes
 
 
.project
.project
 
 
README.md
README.md
 
 

Repository files navigation

CSP Hack

Exploration of how to make Content Security Policy work with Seaside.

The current approach works with a combination of:

  • A filter that generates a nonce for every request, stores it in the request context and generates a CSP HTTP header.
  • A custom document that makes sure a nonce is added to every <script> element that does not already have it.

A custom script generator does not work since it can only add a nonce to <script> elements in the<body> but not <script> elements in <head>. <script> elements in <head> need a nonce since the combination of 'self' 'nonce-' does not work with Firefox only the combination of 'strict-dynamic' 'nonce-' .

About

An exploration of how to make CSP work with Seaside.

Topics

smalltalk content-security-policy nonce

Resources

Readme
Activity

Stars

2 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages