Feeling Lucky
?
[#20425] - [4.0] CSP generate & append nonce's using the JDocument api and plg_systemhttpheaders
- Fixed in Code Base
- 16 May 2018
- Medium
- Build: 4.0-dev
- # 20425
- Diff
- zero-24:csp
User tests: Successful: Unsuccessful:
Pull Request for the next step to support CSP by default.
Summary of Changes
Based on the great work by @wilsonge with this changes we append to any inline script that is using the jdocument api the nonce generated on any page load. With this we can whitelist the js we use / injecte via jdocument but block any other JS that is not expected to run.
Testing Instructions
- apply this patch
- enable the plg_system_httpheaders
- check the page source of any page that includes inline js (like the com_fields edit page)
- notice that there is a nonce="RANDOMSTRING" in there.
Expected result
nonce set and used for inline scripts
Actual result
no nonce support at all
Documentation Changes Required
Like earlier you are now required to use the document api to inject your js or at least set the nonce yourself.
| Status | New | ⇒ | Pending |
joomla-cms-bot
- | Category | ⇒ | Libraries Front End Plugins |
| Labels |
Added:
?
|
||
| Status | Pending | ⇒ | Fixed in Code Base |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2018-05-16 14:52:31 |
| Closed_By | ⇒ | wilsonge |