Recommended CSP #103

gene-git · 2021-07-27T11:50:23Z

First - thank you for actively working on this project, It really is very much appreciated.

Wondering what your thoughts are around the most secure content security policy that can be used for Snappymail.
And do you have any plans / ideas to allow removal of stuff like 'unsafe-inline' (which seems to be needed for both style-src and script-src)?

thanks again

the-djmaze · 2021-07-28T07:05:06Z

unsafe-inline on the style-src is needed for email because html emails are self contained.
unsafe-inline & unsafe-eval on script-src might be dropped in the future when everything works with it (which it doesn't at the moment.

Tighten it even more is hardly impossible due to the nature of email (remote images for example).
But for the images there is the proxy feature, see #16

gene-git · 2021-07-28T12:51:09Z

Thank you - and the earlier discussion was informative - you're definitely helping me slowly get up to speed.

the-djmaze pushed a commit that referenced this issue Jul 28, 2021

Make <script> secure with CSP, see issue #103

a3d2b56

the-djmaze pushed a commit that referenced this issue Jul 28, 2021

CSP 'unsafe-eval' required for Knockout.js, see issue #103

e0106a6

gene-git closed this as completed Jul 28, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Recommended CSP #103

Recommended CSP #103

gene-git commented Jul 27, 2021

the-djmaze commented Jul 28, 2021 •

edited

Loading

gene-git commented Jul 28, 2021

Recommended CSP #103

Recommended CSP #103

Comments

gene-git commented Jul 27, 2021

the-djmaze commented Jul 28, 2021 • edited Loading

gene-git commented Jul 28, 2021

the-djmaze commented Jul 28, 2021 •

edited

Loading