Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support a strict CSP-SOP #5972

Open
narcisgarcia opened this issue Dec 14, 2024 · 1 comment
Open

Support a strict CSP-SOP #5972

narcisgarcia opened this issue Dec 14, 2024 · 1 comment
Assignees
@ywarnier
Labels
Enhancement
Milestone
1.11.30

Comments

@narcisgarcia
Copy link

narcisgarcia commented Dec 14, 2024
edited
Loading

I'm using this directive on webserver and I get A+ score in CSP tests:

Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: blob:; media-src 'self'; script-src 'self'; style-src 'self' 'unsafe-inline' data:; font-src 'self' data: blob:; object-src 'self'; base-uri 'self'; connect-src 'self'; form-action 'self'; frame-ancestors 'self'"

But embedded text-editor it only works if I add 'unsafe-inline' and 'unsafe-eval' to script-src.

This should also be warned on web UI install wizard and documentation.
@ywarnier ywarnier added this to the 1.11.28 milestone Jan 14, 2025
@ywarnier
Copy link
Member

@narcisgarcia thanks. The script-src allowance with the inline-editor is an issue we haven't been able to solve.
I guess you are reporting this for Chamilo 1.11.28, right?

@ywarnier ywarnier self-assigned this Jan 14, 2025
@ywarnier ywarnier modified the milestones: 1.11.28, 1.11.30 Jan 14, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywarnier ywarnier

Labels
Enhancement
Projects
None yet
Milestone
1.11.30
Development

No branches or pull requests
2 participants
@ywarnier @narcisgarcia