I should have been more specific. I have a security person who wants us to
remove the unsafe-inline for the javascript.
This has taken up so much of my focus that I forget all about the rest of it.
To pull off the removal of the unsafe-inline you have to use hashes for the
javascript or a nonce
I set these headers (and HSTS header) with a simple servlet filter.
Regards,
Eric
On Fri, Jan 10, 2020, 9:26 AM Jason E Bailey wrote:
> If you're not familiar with them
>
> https://tools.ietf.org/html/rfc7231
> https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
>
> I'm wondering if anyone
Jason,
Rather than putting the headers in Sling, I'd recommend supplying the CSP
in your caching (httpd etc) layer. Something like this:
Header set X-Frame-Options "ALLOW-FROM https://launch.adobe.com;
Header set X-XSS-Protection "1; mode=block"
Header set X-Content-Type-Options
If you're not familiar with them
https://tools.ietf.org/html/rfc7231
https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP
I'm wondering if anyone has used the CSP to secure javascript and styles
successfully in Sling and what techniques did they use to get there.
I'm about to raise an issue
Hi,
While moving the Sling Dynamic Include module to use the new OSGi
annotations, I noticed that the annotation caused breaking changes,
since almost all packages are exported.
That looked suspicious to me, as I think the SDI bundle it intended to
be dropped in and configured, not reused
