Giters

marschall / CSP-Hack

An exploration of how to make CSP work with Seaside.

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

content-security-policynoncesmalltalk

CSP Hack

Exploration of how to make Content Security Policy work with Seaside.

The current approach works with a combination of:

  • A filter that generates a nonce for every request, stores it in the request context and generates a CSP HTTP header.
  • A custom document that makes sure a nonce is added to every <script> element that does not already have it.

A custom script generator does not work since it can only add a nonce to <script> elements in the<body> but not <script> elements in <head>. <script> elements in <head> need a nonce since the combination of 'self' 'nonce-' does not work with Firefox only the combination of 'strict-dynamic' 'nonce-' .

About

An exploration of how to make CSP work with Seaside.

content-security-policynoncesmalltalk

Languages

Language:Smalltalk 100.0%