You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
To improve security, 'unsafe-inline' 'unsafe-eval' directives for css and js must be disabled.
According to the following link which I quote at the end, in Nginx there is a header which can be added to secure it. I don't know which is the right header for lighttpd but must be similar.
If we add that security directive your application shows with errors in design. A screenshot can be found here: http://imgur.com/Yw9mP8a
Hi,
To improve security, 'unsafe-inline' 'unsafe-eval' directives for css and js must be disabled.
According to the following link which I quote at the end, in Nginx there is a header which can be added to secure it. I don't know which is the right header for lighttpd but must be similar.
If we add that security directive your application shows with errors in design. A screenshot can be found here: http://imgur.com/Yw9mP8a
https://gist.github.com/plentz/6737338
with Content Security Policy (CSP) enabled(and a browser that supports it(http://caniuse.com/#feat=contentsecuritypolicy),
you can tell the browser that it can only download content from the domains you explicitly allow
http://www.html5rocks.com/en/tutorials/security/content-security-policy/
https://www.owasp.org/index.php/Content_Security_Policy
I need to change our application code so we can increase security by disabling 'unsafe-inline' 'unsafe-eval'
directives for css and js(if you have inline css or js, you will need to keep it too).
more: http://www.html5rocks.com/en/tutorials/security/content-security-policy/#inline-code-considered-harmful
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://ssl.google-analytics.com https://assets.zendesk.com https://connect.facebook.net; img-src 'self' https://ssl.google-analytics.com https://s-static.ak.facebook.com https://assets.zendesk.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com https://assets.zendesk.com; font-src 'self' https://themes.googleusercontent.com; frame-src https://assets.zendesk.com https://www.facebook.com https://s-static.ak.facebook.com https://tautt.zendesk.com; object-src 'none'";
The text was updated successfully, but these errors were encountered: