CSP-header unsafe inline

[Maarten]

Hi there,

We are running a ZAP test on our running version of VocBench and are receiving notifications regarding the use of the source list reference unsafe-inline. I assume you have intentionally set this header. However, from a security perspective, this is undesirable within our organization. Is this something you are able to address? Thank you in advance.

Kind regards,

Maarten

[Tiziano Lorenzetti]

Dear Marteen,

You're correct, the current Content-Security-Policy header includes unsafe-inline for the style-src directive. In the past, we explicitly added a CSP header for other security-related reasons. 

As a consequence, it became necessary to also include 'unsafe-inline' for styles, since omitting style-src would cause the browser to fall back to default-src, which would block inline styles.

This would break the UI, as inline styling is currently widely used throughout VocBench.

At the moment, the CSP header is hardcoded and cannot be customized without releasing a new version (or without manually rebuilding the backend). 

Moreover, even if the directive were removed, it would break the UI unless all inline style="..." usages were refactored into CSS classes, which is currently not feasible given how extensively inline styles are used throughout the components.

We acknowledge the concern and will take it into account when planning future refactoring. That said, this is not something currently scheduled in the short term.

Best regards,

Tiziano

--
You received this message because you are subscribed to the Google Groups "vocbench-user" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vocbench-use...@googlegroups.com.
To view this discussion visit https://groups.google.com/d/msgid/vocbench-user/8919cb81-cbc9-4bf0-954b-5178ae29ae9fn%40googlegroups.com.