Search…

X3 Photo Gallery Support Forums

Search…
 
User avatar
Snowrisk
Topic Author
Posts: 3
Joined: 27 Jul 2021, 11:06

CSP Script Security "nonce"

27 Jul 2021, 11:20

Hello Karl,

would it be possible to assign a "nonce" for all scripts so that I can better secure them via the CSP?
If so, what is the best way to do this? Do you have a hint for me?

There is information about CSP are here: https://csp.withgoogle.com/docs/strict-csp.html

Best regards
Jens
Best regards
Jens
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: CSP Script Security "nonce"

28 Jul 2021, 02:45

I'm actually not sure what you hope to achieve. Is your X3 website open to edit from other users that you don't trust, who might include hacked external javascripts? If not, then X3 needs to loads the scripts that are hosted safely on jsdelivr.com.

You could of course assign Content-Security-Policy to only allow loading of scripts from *jsdelivr.com* and your own website, but I don't see much benefit.
https://developer.mozilla.org/en-US/doc ... script-src
 
User avatar
Snowrisk
Topic Author
Posts: 3
Joined: 27 Jul 2021, 11:06

Re: CSP Script Security "nonce"

28 Jul 2021, 03:05

Is your X3 website open to edit from other users that you don't trust, who might include hacked external javascripts?
No, not really. I just try to secure the website as much as possible with the current security standards. 
You could of course assign Content-Security-Policy to only allow loading of scripts from *jsdelivr.com* and your own website, but I don't see much benefit.
https://developer.mozilla.org/en-US/doc ... script-src
Ok, maybe I need to dig a little deeper into this. 
Possibly I make myself thereby also only more and unnecessary work.  :thinking:


Jens
Best regards
Jens
 
User avatar
mjau-mjau
X3 Wizard
Posts: 13993
Joined: 30 Sep 2006, 03:37

Re: CSP Script Security "nonce"

28 Jul 2021, 03:44

A fan of security myself also, as you can never be paranoid enough these days. I can't imagine a scenario where this would be helpful in X3 though, because there is no user-input and X3 doesn't even use a database. This content-security-policy may block scripts/html from executing, but where would they come from? They would have to get injected and stored in your website somehow. Also, most server firewall mechanisms (if you have one) will block bots that attempt XSS attacks (if there exists entry points). Personally, I use cloudflare firewall.
 
User avatar
Snowrisk
Topic Author
Posts: 3
Joined: 27 Jul 2021, 11:06

Re: CSP Script Security "nonce"

28 Jul 2021, 03:51

Thanks, Karl. I'll have a look at Cloudflare.
Best regards
Jens