V1.1.0

[andrewmarkham]

Updated the component to automatically the response headers recommended by OWASP to enhance security.

---

This discussion was created from the release V1.1.0.

[blacktambourine]

Hi Andrew,
I'm seeing an issue where an inline script is using the nonce helper (and a nonce is added), but when I set the security settings to "self" and "nonce" i still see the reporting in the console log:

Refused to execute inline script because it violates the following Content Security Policy directive: "script-src 'self' ''nonce-edf3b582-df69-4492-b8f1-dd7db87a2c37''".

Any ideas on how to troubleshoot this?

[andrewmarkham]

Hi,

Can you raise an issue and include an example of the request headers and the generated inline script tag. I can then take a look.

Andy

[andrewmarkham]

Hi Aleksas, For some reason I cannot see this discussion, can you raise as an issue? https://github.com/andrewmarkham/contentsecuritypolicy/issues Thanks From: Aleksas Kazanavicius ***@***.***> Date: Tuesday, 7 February 2023 at 09:43 To: andrewmarkham/contentsecuritypolicy ***@***.***> Cc: Andy Markham ***@***.***>, Author ***@***.***> Subject: Re: [andrewmarkham/contentsecuritypolicy] V1.1.0 (Discussion #20) Hi Andrew, On Friday I came across some strange behavior in the CSP module. Raygun has 2 different endpoints for Report-Uri (Firefox) and Report-To (Edge, Chrome). CSP Module's Report URL accepts Report-Uri Raygun endpoint URL for major browsers (Edge, Chrome and Firefox) with an extra comma at the ending: https://report-to-api.raygun.com/reports-csp?apikey=<https://report-to-api.raygun.com/reports-csp?apikey=%3CYOUR-API-KEY%3E>, So, I found that only this endpoint + comma https://report-to-api.raygun.com/reports-csp?apikey=<https://report-to-api.raygun.com/reports-csp?apikey=%3CYOUR-API-KEY%3E>, reports for all browsers properly. — Reply to this email directly, view it on GitHub<#20 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/ACURL2IJTCG42ON7MDAHN7DWWIKKJANCNFSM5MN3LOYQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>