Changes between Version 1 and Version 2 of Ticket #39941, comment 26
- Timestamp:
- 03/20/2019 10:50:09 PM (5 years ago)
Legend:
- Unmodified
- Added
- Removed
- Modified
-
Ticket #39941, comment 26
v1 v2 5 5 > Only the application itself will know the elements that need to be allowed, 6 6 7 If you don't use inline javascript at all, then you will know exactly which elements need nonces: none of them. And if the javascript is inline but static then you can use checksums at deploy time instead.7 If you don't use inline javascript at all, then you will know exactly which elements need nonces: none of them. And if the javascript is inline but static then you can configure the CSP to use checksums at deploy time instead. 8 8 9 9 All javascript should be moved to separate files. The javascript itself should be static... not templated via php... and thus not at risk of code injection via php. This restiction then allows features of CSP (such as strict-dynamic) to work as intended. Then the needed CSP policy would be known at deploy time and can be set in an independent application (httpd), applying the principle of [https://www.owasp.org/index.php/Separation_of_duties separation of duties].