https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #7 from Jake Deery <[email protected]> --- Hi Michal, I agree; long-term, having a syspref or sysprefs to manage these things would be preferable. In the meantime, I think our starting goal should be implementing something along the lines of: # Disable unsafe inline/eval, only allow loading of resources (images, fonts, scripts, etc.) over https # Note that this does not provide any XSS protection Content-Security-Policy: default-src https: ... as a basic (mandatory) rule. It does not provide any real security gains, but it begins to encourage good practice regarding not placing JavaScript inline in future (as it simply won't work). Once we've covered this as a base, I think that would be the time to move on to adding stricter and more customisable CSP headers. Discussion time; what are everyone's thoughts on this? I could perhaps write a patch as a proof-of-concept? -- You are receiving this mail because: You are the assignee for the bug. You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
