[Koha-bugs] [Bug 20397] Implement Content Security Policy
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Mon Jan 24 06:06:28 CET 2022
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #4 from David Cook <dcook at prosentient.com.au> ---
(In reply to Benjamin Daeuber from comment #2)
> We're currently experimenting with this in response headers in Apache,
> though part of the struggle is getting a hold on the variety of resources
> we're currently loading. Paypal, cover images, analytics scripts, enhanced
> content, jquery libraries, etc, etc.
To start, we could use this example:
"# Don't implement the above policy yet; instead just report violations that
would have occurred
Content-Security-Policy-Report-Only: default-src https:; report-uri
/csp-violation-report-endpoint/"
That might help us build up a good list?
> Is the thought to do this with meta tags or using response headers?
It seems like a response header is preferred?
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list