Do not add signatures if unsafe-inline is enabled
#335
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Seldaek
reviewed
Feb 27, 2024
Comment on lines
+143
to
+145
| // Do not add any signatures if 'unsafe-inline' is allowed anyway | ||
| } elseif (false !== strpos($value, '\'unsafe-inline\'')) { | ||
| $policy[] = $name.' '.$value; |
Member
There was a problem hiding this comment.
This is risky IMO, because if you use signatures then unsafe-inline will be ignored by modern browsers supporting CSP2. It's merely there as a fallback.
Now with your change suddenly having unsafe-inline in an existing config would silently break/remove signatures.
I think the more appropriate way is to disable the hash functionality if you are not interested in outputting hashes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Currently signatures are explicitly still added, even if
unsafe-inlinewas already present in thescript-srcorstyle-srcdirective. However, if your application adds a lot of hashes (forstyle="…"for example) and you decide to instead allowunsafe-inlinein general, the hashes are still output in the response header. This might lead to the response header size being too large, if there are a lot of long hashes for exampleThis PR would automatically not apply any signatures, if
unsafe-inlinewas enabled.wdyt?