Timeline for Is it a valid approach to have a different CSP based on login state and browser?
Current License: CC BY-SA 4.0
4 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 29, 2021 at 18:58 | comment | added | berliner | So is it inherently bad to provide different CSP rules based on the user agent even if it's not reliable? From my understanding, the low-bar CSP rules would apply always as a baseline, but user agents reporting as modern, would still get more secure rules. I don't see how that would create a problem. | |
| Sep 29, 2021 at 18:56 | comment | added | berliner | Thanks for this extensive answer. I have doubts about the next steps though. My idea was to provide a maximum of security for modern browsers and not taking the low bar only because less modern browsers don't support it. Safari for example understands nonces, but doesn't understand strict-dynamic, which makes it impossible (in a Drupal context) to have a functioning backend. Hashes on the other hand don't allow CSP "inheritance" like nonces do with strict-dynamic (afaik). And in Drupal which still comes bundled with CKEditor 4, I honestly don't see a way of getting around 'unsafe-inline'. | |
| S Sep 20, 2021 at 21:04 | review | First answers | |||
| Sep 21, 2021 at 18:02 | |||||
| S Sep 20, 2021 at 21:04 | history | answered | granty | CC BY-SA 4.0 |