Server: Get rid of inline CSS and remove unsafe-inline gradually from controllers

Created on 29 Aug 2016  路  4Comments  路  Source: nextcloud/server

1. to develop enhancement good first issue help wanted security
Source
picture LukasReschke
👍2

Most helpful comment

@sunny75016 I am sure Pull Requests are appreciated :-)

picture LukasReschke on 28 Apr 2020
👍3

All 4 comments

So probabaly a good step would be to create a stricter CSP which Apps can then start to use already.

Then we could also start logging warnings on the old CSP.

rullzer picture rullzer on 4 Sep 2016

Open almost 4 years. Grateful if the NC cloud can works towards a solution.

sunny75016 picture sunny75016 on 28 Apr 2020

@sunny75016 I am sure Pull Requests are appreciated :-)

LukasReschke picture LukasReschke on 28 Apr 2020
👍3

In this thread someone suggested creating a strict CSP. There is my humble suggestion to keep the CSP short. If we replace default-src with 'none', then it becomes too long.

Apache2:
Header set Content-Security-Policy "default-src 'self'; img-src data: 'self'; upgrade-insecure-requests;"

I am not using nginx so someone else can write its equivalent. I hope the suggestion is useful to authors who want to get rid of 'unsafe-inline' from script-src.

sunny75016 picture sunny75016 on 29 Apr 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

ChristophWurst picture ChristophWurst  路  3Comments
mama21mama picture mama21mama  路  3Comments
georgehrke picture georgehrke  路  3Comments
e-alfred picture e-alfred  路  3Comments
brylie picture brylie  路  3Comments