CSP security issue due to it being ineffective

[L1ghtn1ng]

As it currently stands, the CSP is ineffective at preventing XSS issues due to having unsafe-inline and unsafe-eval in the script-src directive. The way to fix this would be to have all <script> tags have the nonce="" attribute that would then get injected inside of the quotes. This value has to be unique per request. As and idea of how to do it can be seen here https://cybermon.uk/posts/cloudflare_workers_pages_and_hugo/

[L1ghtn1ng]

It would just need translating over to php code etc

[OPNsense-bot]

Thank you for creating an issue.
Since the ticket doesn't seem to be using one of our templates, we're marking this issue as low priority until further notice.

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

The easiest option to gain traction is to close this ticket and open a new one using one of our templates.

[OPNsense-bot]

This issue has been automatically timed-out (after 180 days of inactivity).

For more information about the policies for this repository,
please read https://github.com/opnsense/core/blob/master/CONTRIBUTING.md for further details.

If someone wants to step up and work on this issue,
just let us know, so we can reopen the issue and assign an owner to it.