[Koha-bugs] [Bug 20397] Implement Content Security Policy
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Apr 4 18:45:29 CEST 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #7 from Jake Deery <jake.deery at ptfs-europe.com> ---
Hi Michal,
I agree; long-term, having a syspref or sysprefs to manage these things would
be preferable. In the meantime, I think our starting goal should be
implementing something along the lines of:
# Disable unsafe inline/eval, only allow loading of resources (images, fonts,
scripts, etc.) over https
# Note that this does not provide any XSS protection
Content-Security-Policy: default-src https:
... as a basic (mandatory) rule. It does not provide any real security gains,
but it begins to encourage good practice regarding not placing JavaScript
inline in future (as it simply won't work).
Once we've covered this as a base, I think that would be the time to move on to
adding stricter and more customisable CSP headers.
Discussion time; what are everyone's thoughts on this? I could perhaps write a
patch as a proof-of-concept?
--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
More information about the Koha-bugs
mailing list