View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0005813 | Composr | core | public | 2024-07-27 01:18 | 2024-09-04 21:49 |
| Reporter | Patrick Schmalstig | Assigned To | Chris Graham | ||
| Severity | Minor-bug | ||||
| Status | assigned | Resolution | open | ||
| Product Version | 11.beta1 | ||||
| Fixed in Version | |||||
| Summary | 0005813: Potentially risky wildcard default-src CSP set on several pages | ||||
| Description | default-src * data: blob: 'unsafe-inline' is being set on many pages. This might be quite risky especially without a nonce. | ||||
| Tags | Roadmap: v11 | ||||
| Time estimation (hours) | |||||
| Sponsorship open | |||||
|
|
Automated message: This issue was created using the Report Issue Wizard on the Composr homesite. |
|
|
Possible this may be because of "Permit no JavaScript nonce for injected scripts", which honestly should be disabled by default IMO and users instructed to enable it only if they must for third-party libraries that need it. |
|
|
This seems to be happening on a lot of the add and edit screens. Other screens have the proper headers. |
|
|
This was mainly a WYSIWYG issue, fixed in 11 beta2, but I still see it on some other screens. Leaving the issue open for now. |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2024-07-27 01:18 | Patrick Schmalstig | Tag Attached: Roadmap: v11 | |
| 2024-07-27 01:22 | Patrick Schmalstig | Note Added: 0008986 | |
| 2024-07-27 01:29 | Patrick Schmalstig | Note Added: 0008987 | |
| 2024-07-27 01:29 | Patrick Schmalstig | Assigned To | => Chris Graham |
| 2024-07-27 01:29 | Patrick Schmalstig | Status | non-assigned => assigned |
| 2024-07-27 01:29 | Patrick Schmalstig | Summary | Potentially risky wildcard default-src CSP set on several pages => Potentially risky wildcard default-src CSP set on several pages |
| 2024-09-04 21:49 | Patrick Schmalstig | Note Added: 0009262 |
