TaskFlow

Content Security Policies tell the browser to restrict where resources, like Javascript, are loaded from. They are a good defense against cross-site scripting (XSS) attacks.

Content Security Policies tell the browser to restrict where resources, like Javascript, are loaded from. They are a good defense against cross-site scripting (XSS) attacks. We should try to move towards a CSP of at least `default-src 'self'`. Ideally adding `object-src 'none'` but these would require that we don't use Javascript in-line, but load it properly via scripts with hashing/nonces. https://content-security-policy.com/faq/ https://content-security-policy.com/strict-dynamic/ https://content-security-policy.com/nonce/ Have started on some specific client portal pages but this seems to break things like TinyMCE.Until we can add this as part of the header includes, we'll have to track individual pages that can and can't have CSP applied: General (main app) Client Portal Added to a few pages: index, invoices, login, profile, tickets Guest Views Misc Migrated from https://github.com/itflow-org/itflow/issues/1036
Milestone:	No milestone set
Assigned To:	Marcus
Created Date:	2025-03-03 13:12:41
Discussion Link:

We should try to move towards a CSP of at least default-src 'self'. Ideally adding object-src 'none' but these would require that we don't use Javascript in-line, but load it properly via scripts with hashing/nonces.

https://content-security-policy.com/faq/
https://content-security-policy.com/strict-dynamic/
https://content-security-policy.com/nonce/

Have started on some specific client portal pages but this seems to break things like TinyMCE.Until we can add this as part of the header includes, we'll have to track individual pages that can and can't have CSP applied:

General (main app)

Client Portal

Added to a few pages: index, invoices, login, profile, tickets

Guest Views

Misc

#100 - Enforce a Content Security Policy (CSP)Open

No Comments