https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
David Cook changed:
What|Removed |Added
CC||eugen...@yahoo.com
---
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #21 from David Cook ---
However, overall, I'm pretty pleased with this change. I've done some testing
and it works very well, and at a glance Koha seems to keep working. (Adding
that "nonce" really makes all the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
David Cook changed:
What|Removed |Added
Status|NEW |In Discussion
--- Comment #20
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #19 from David Cook ---
Created attachment 154582
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154582=edit
Bug 20397: Add CSP nonce to all OPAC
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #18 from David Cook ---
Created attachment 154581
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154581=edit
Bug 20397: Add CSP nonce to all staff interface
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #17 from David Cook ---
Created attachment 154580
-->
https://bugs.koha-community.org/bugzilla3/attachment.cgi?id=154580=edit
Bug 20397: Add default Content-Security-Policy
This patch adds a default
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #16 from David Cook ---
(In reply to David Cook from comment #15)
> We'd need to generate the nonce and pass it to the $template in
> C4::Auth::get_template_and_user().
But then we also need to get it into C4::Output.
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #15 from David Cook ---
For our inline scripts (like OpacUserJS and IntranetUserJS), we could use a
nonce.
We'd need to generate the nonce and pass it to the $template in
C4::Auth::get_template_and_user().
Then we
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #14 from David Cook ---
I'd like to revisit this one soon.
--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
___
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Patrick Robitaille changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Noémie Labine changed:
What|Removed |Added
CC||noemie.lab...@collecto.ca
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #13 from Jake Deery ---
Thanks for all your input, Katrin!
I'll probably be back with some more questions, when I think of some. I need to
get into the habit of using IRC to chat with everyone! :-)
I can see this as
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #12 from Katrin Fischer ---
I'll have to leave those questions for someone else I am afraid - a bit out of
my depth here. :(
--
You are receiving this mail because:
You are watching all bug changes.
You are the
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #11 from Jake Deery ---
Thank you, so far it's been very mild, so thankfully I'm feeling I will pass
through it quickly and be able to return to normality soon!
That's a valid point! Plus, provided the file is being
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #10 from Katrin Fischer ---
Hi Jake - first of all: hope you feel better soon!
I worry about having silly suggestions too, so maybe that is not related :)
I am not sure if save and rebuild being separate makes sense,
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #9 from Jake Deery ---
Katrin -
I didn't realise you could set 'unsafe-inline'. That would be a great first
step, and something we could probably implement quite quickly with minimal
disruption :-)
The OpacUserJs
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #8 from Katrin Fischer ---
New to the topic, so I hope what I gathered from reading documentation is about
right:
"Aiming for default-src https: is a great first goal, as it disables inline
code and requires https.
For
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #7 from Jake Deery ---
Hi Michal,
I agree; long-term, having a syspref or sysprefs to manage these things would
be preferable. In the meantime, I think our starting goal should be
implementing something along the lines
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #6 from Michal Denar ---
Hi,
we can take inspiration from VuFind. It's not in Perl, but the basic principle
is the same or similar.
https://vufind.org/wiki/administration:security:content_security_policy
--
You are
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #5 from Jake Deery ---
Hi,
We are seeing more and more customers flag this in their security audits. Is
there anything that can be done to expedite this bug (I was planning on taking
a look at this myself in the near
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Jake Deery changed:
What|Removed |Added
CC||jake.de...@ptfs-europe.com
--
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
David Cook changed:
What|Removed |Added
See Also||https://bugs.koha-community
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #4 from David Cook ---
(In reply to Benjamin Daeuber from comment #2)
> We're currently experimenting with this in response headers in Apache,
> though part of the struggle is getting a hold on the variety of resources
>
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
David Cook changed:
What|Removed |Added
CC||dc...@prosentient.com.au
---
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Marcel de Rooy changed:
What|Removed |Added
CC||m.de.r...@rijksmuseum.nl
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Benjamin Daeuber changed:
What|Removed |Added
CC||bdaeu...@cityoffargo.com
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Liz Rea changed:
What|Removed |Added
CC||wizzy...@gmail.com
--- Comment
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Tomás Cohen Arazi changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
claire.hernan...@biblibre.com changed:
What|Removed |Added
CC|
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
Josef Moravec changed:
What|Removed |Added
CC|
30 matches
Mail list logo