You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
There are various security headers in HTTP. We can't actually add headers for qute:// URLs, but we could add <meta http-equiv="..." value="..."> tags to the markup.
For example, with Content-Security-Policy, it'd allow us to avoid making requests to the outside world if there ever was another XSS issue on qute:// pages.
Not sure whether that works though, those internal URLs might be handled specially somehow.
The text was updated successfully, but these errors were encountered:
but that fails because we currently embed the style and scripts into the .html file in most places. This should probably change - if we enable unsafe-inline, we might as well not use CSP at all.
Maybe we can get jinja to autogenerate nonces or hashes for the scripts though? Just need to make sure those are compatible everywhere though.
There are various security headers in HTTP. We can't actually add headers for
qute://
URLs, but we could add<meta http-equiv="..." value="...">
tags to the markup.For example, with Content-Security-Policy, it'd allow us to avoid making requests to the outside world if there ever was another XSS issue on qute:// pages.
Not sure whether that works though, those internal URLs might be handled specially somehow.
The text was updated successfully, but these errors were encountered: