Please disregard the 'View article...' shown at the bottom of many posts as this is the result of restoring old forum posts from a backup.
Content Security Policy?
I'd like to put a Content Security Policy in place.
Here's the line of code I added to .htaccess: Header set Content-Security-Policy "default-src https:"
Here's the line of code I added to .htaccess: Header set Content-Security-Policy "default-src https:"
I have Photo Album module that I've configured with the Slideshow content action and the Default content display.
When I have the above Content Security Policy active, the slidshow doesn't appear. Once comment out the Content Security Policy from .htaccess, the slideshow appears. I think the reason the slideshow doesn't appear is because it uses an inline script. I know that I could add 'unsafe-inline' but that won't provide any XSS protection.
How can I have the inline script and still have XSS protection?
Comments
- Either the 'unsafe-inline' keyword, a hash ('sha256-ZVjd2zfSTfAVh1y7eCcNk0SPGUQOP/H8vzrFJIVgg90='), or a nonce ('nonce-...') is required to enable inline execution.
Most external scripts require some inline code to actually run which is likely the case above...e.g., our 'scripts' are on the view template itself and not an external file.In a simple local test, not only are all inline scripts blocked, but also inline styles. It also won't allow the editor to work, etc... Current versions of Exponent afford quite a bit of XSS protection by scrubbing ALL input via forms and the url...in fact the only scripts/forms, etc... which aren't scrubbed are text entered within a code snippet module.