Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Don't rely on CSP style-src unsafe-inline #960

Open
wkramer opened this issue Aug 29, 2024 · 1 comment
Open

Don't rely on CSP style-src unsafe-inline #960

wkramer opened this issue Aug 29, 2024 · 1 comment

Comments

@wkramer
Copy link
Collaborator

wkramer commented Aug 29, 2024

See: https://github.com/cssinjs/jss/blob/master/docs/csp.md for solution on Vuetify style sheets.
Replace vue-slider-component with v-slider from vuetif (use next https://github.com/Deltares/fews-web-oc-components)

@wkramer
Copy link
Collaborator Author

wkramer commented Sep 10, 2024

Nginx instructions:

Check if your nginx install supports required modules:

nginx -V 2>&1 | tr ' ' '\n' | grep 'http_sub_module'
nginx -V 2>&1 | tr ' ' '\n' | grep 'http_ssl_module'

Standard value request_id: https://nginx.org/en/docs/http/ngx_http_core_module.html
If NGX_OPENSSL the request_id is a cryptographic safe random number:
https://github.com/nginx/nginx/blob/4bf4650f2f10f7bbacfe7a33da744f18951d416d/src/http/ngx_http_variables.c#L2148

Check in current master: https://github.com/nginx/nginx/blob/master/src/http/ngx_http_variables.c

If the generate request_id has capital D's at the 9, 18, 27 and 36 position the number is only pseudo random
Bad:
nonce-e8bb1abcD9ae1192bDd4c0691cDdf50a163D
Good:
nonce-d5ec3b35c37b715c9ef5a98d47580f3d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

When branches are created from issues, their pull requests are automatically linked.

1 participant