Project

General

Profile

Todo #6647

Enable CSP for GUI

Added by Chris Buechler over 1 year ago. Updated 27 days ago.

Status:
New
Priority:
Normal
Category:
Web Interface
Target version:
Start date:
07/26/2016
Due date:
% Done:

0%


Description

The nginx instance for the web GUI should enable CSP. Just adding the following works:

add_header Content-Security-Policy "default-src 'self';";

though I suspect that may break some edge case I'm not thinking of. The captive portal nginx instance shouldn't have that set, as people routinely include external resources that would be broken by that.

Adding upgrade-insecure-requests while there wouldn't hurt either.

History

#1 Updated by Jim Thompson about 1 year ago

  • Assignee set to Renato Botelho

#2 Updated by Renato Botelho 2 months ago

  • Target version changed from 2.4.0 to 2.4.1

#3 Updated by Jim Pingle about 1 month ago

  • Target version changed from 2.4.1 to 2.4.2

#4 Updated by Jim Pingle 27 days ago

  • Target version changed from 2.4.2 to 2.4.3

Also available in: Atom PDF