gethttpsforfree icon indicating copy to clipboard operation
gethttpsforfree copied to clipboard
verified publisher icon diafygi

Add CSP

Open ghost opened this issue 8 years ago • 1 comments

Fixes #80

Strangely enough, an CSRF attack can be done solely with CSS, even with plugins/javascript disabled: https://scarybeastsecurity.blogspot.com/2009/12/generic-cross-browser-cross-domain.html

So all this patch does is remove inline styles, adds the CSP tag and adjusts the JS accordingly.

Sidenote: HKPK (reference in the issue) is being deprecated by Chrome, so it's probably better not to use it.

ghost avatar Nov 26 '17 14:11 ghost

Rather than moving the css to an external file, I'd rather use the style-src 'sha256-<digest>' CSP.

diafygi avatar Apr 03 '19 12:04 diafygi