Comment 0 for bug 1734767
Revision history for this message
| Robert Lyon (robertl-9) wrote Mahara needing the Content Security Policy (CSP) to define what is/isn't allowed | #0 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
f33e652
(Get the code!)
Content Security Policy (CSP) is an HTTP header that allows site operators fine-grained control over where resources on their site can be loaded from. The use of this header is the best method to prevent cross-site scripting (XSS) vulnerabilities.
For implementing this we will need to allow the setting of the value to be editable by site admin as some sites may need to be more relaxed than others.
A good tool for working out what is needed is
https:/
There are 'report' options that will allow an admin to get info on what things are violating the policy to help fine tune what settings are needed.