Create script-src from script-src-attr and script-src-elem

Created on 8 December 2019, over 5 years ago

Updated 19 January 2024, about 1 year ago

Setting all three of script-src, script-src-elem, script-src-attr (or style), can be confusing, and prone to some issues when altering a policy.

Script-src could be created automatically by the union of the more specific directives. If a more specific directive matches its nearest fallback, then it is already removed from the output since it's not necessary.

One issue is considering 'unsafe-inline', which is disabled if a hash or nonce is specified - should the combined policy be more lenient and remove the hash or nonce values, or strictly merge all values.

Maybe something to leave for 2.0

✨ Feature request

Status

Postponed

Version

2.0

Component

Code

Created by

🇨🇦Canada gapple

Live updates comments and jobs are added and updated live.

Incomplete comments

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Comment over 1 year ago →
🇨🇦Canada gapple
I see I may have not been clear in my descriptions - neither -elem or -attr would be removed from the policy. The base directive would be determined from the more specific directives' values, but all three directives would be included in the header.

The intent is to reduce the likely hood of someone incorrectly configuring the base directive themself in a way that would result in different behaviour between browsers that did or did not support the more specific directives.
Status changed to Postponed about 1 year ago9:29am 19 January 2024
Comment about 1 year ago →
🇨🇦Canada gapple

contrib.social Blog FAQ Discussions

Production build 0.71.5 2024