New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No way to obtain an A+ grade to headers test #2462
Comments
See also #1252 |
We can't really do anything, it's related to Angular. |
@Chocobozzz According to this documentation page, Angular works fine even with scrict CSP, if you configure it correctly. Is that wrong? If so, this issue should still be kept open until a solution can be found. |
Your documentation is for Angular 1. |
Right, I just didnt find the same documentation for Angular 2. Or are you saying this feature was completely removed? Anyway I dont see any reason to close this issue if it is not resolved. |
Ahead-of-Time (AOT) compilation (aka As for the scripts, 'unsafe-inline' is also required if we want plugins to work. There will be a way with angular/angular#26152 though: a combination of nonce-based CSP with strict-dynamic directive. Hence, if a script trusted with a nonce creates a new script at runtime, this new script will also be considered legitimate. |
What happened?
https://securityheaders.com/?q=peertube.pcservice46.fr&followRedirects=on
No way to obtain an A+ grade to that test because of a non secure Content Security Policy parameter: style-src 'self' 'unsafe-inline';
If I change that to self without unsafe-inline, the interface is completely broken.
What do you expect to happen instead?
Can have a full grade for my Peertube Instance.
Steps to reproduce:
Repeat the same config I tell in: What happened?
Additional information
The text was updated successfully, but these errors were encountered: