[Koha-bugs] [Bug 20397] Implement Content Security Policy
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Fri Aug 18 02:42:15 CEST 2023
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #15 from David Cook <dcook at prosentient.com.au> ---
For our inline scripts (like OpacUserJS and IntranetUserJS), we could use a
nonce.
We'd need to generate the nonce and pass it to the $template in
C4::Auth::get_template_and_user().
Then we could easily place it into whatever inline script we need.
It wouldn't prevent XSS where we've made an error in our inline script, but it
would prevent a lot of stored and reflected XSS in other contexts.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
More information about the Koha-bugs
mailing list