Actions
User story #27119
open
User story #26934: Enable CSP on all pages and add tag to exclude a page
CSP headers for pages without scripts are always set with static nonce
Pull Request:
UX impact:
Suggestion strength:
Require - I need this to use Rudder as I intend
User visibility:
First impressions of Rudder
Effort required:
Very Small
Name check:
To do
Fix check:
To do
Regression:
No
Description
In parent issue, CSP headers are enabled on all pages (except specifically disabled ones), but they also add a script-src 'nonce-unknown-value' in every request, even API AJAX calls, images, css, etc.
But then the value unknown-value could be used in potential content that supports CSP (with content-type type/xml, or others).
We should set the headers to script-src 'none' for pages where we don't have script tagged with the request nonce value from the server.
This avoids the potential security issue with using the static value above in other CSP-compatible resources
No data to display
Actions