You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The solution uses inline scripts and styles. According to new best security practicies, inline scripts should be moved to external JS/CSS files to allow using Content Security Policy header with maximum protection to the application.
Do You plan to move them in some future version?
The text was updated successfully, but these errors were encountered:
darekjk
changed the title
Inline scripts in the solution blocks adding CSP with full restrictions
Inline scripts and styles in the solution blocks adding CSP with full restrictions
Aug 10, 2024
The best (for me) is moving every inline script and style section into individual files,
so it will be still easy to maintain.
For example, inline script from AddProductToOrder.cshtml could be moved to file ~/js/Areas/Admin/Views/Order/AddProductToOrder.js
and replaced in cshtml file with: <script src="~/js/Areas/Admin/Views/Order/AddProductToOrder.js"></script>
It's simplest even than implementing nonce attribute indetifier for every request and adding to every script section.
Secondly, every script section which uses external JS code, should have integrity attribute, for example: https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity <script src="https://example.com/example-framework.js" integrity="sha384-oqVuAfXRKap7fdgcCY5uykM6+R9GqQ8K/uxy9rx7HNQlGYl1kPzQho1wx4JwY8wC" crossorigin="anonymous"></script>
Some useful info: About CSP by Google
nopCommerce version:
up to 4.80.x
The solution uses inline scripts and styles. According to new best security practicies, inline scripts should be moved to external JS/CSS files to allow using Content Security Policy header with maximum protection to the application.
Do You plan to move them in some future version?
The text was updated successfully, but these errors were encountered: