https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=20397
--- Comment #8 from Katrin Fischer <katrin.fisc...@bsz-bw.de> --- New to the topic, so I hope what I gathered from reading documentation is about right: "Aiming for default-src https: is a great first goal, as it disables inline code and requires https. For existing websites with large codebases that would require too much work to disable inline scripts, default-src https: 'unsafe-inline' is still helpful, as it keeps resources from being accidentally loaded over http. However, it does not provide any XSS protection." I think disabling all inline script would cause quite a lot of side effects at this point in time. I believe, we do still have page specific JS. Maybe we should start with default-src https: 'unsafe-inline' ? Content-Security-Policy-Report-Only might also be useful to get a better idea of the work that needs to be done. We'd also definitely need a solution for OpacUserJs and it needs to be something that doesn't require anything server side to be triggered manually as a lot of libraries don't have easy access. I know we have some use cases where we load external Javascript libraries for tracking, cookie banners and catalog enrichment. Would we need to be able to set script-src in configuration in order to keep that working? -- You are receiving this mail because: You are watching all bug changes. You are the assignee for the bug. _______________________________________________ Koha-bugs mailing list Koha-bugs@lists.koha-community.org https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/