0021908: Weakened security headers in 2.0.x

ID	Project	Category	View Status	Date Submitted	Last Update
0021908	mantisbt	security	public	2016-11-13 06:45	2024-09-29 13:22

Reporter	atrol	Assigned To
Priority	normal	Severity	minor	Reproducibility	always
Status	confirmed	Resolution	open
Target Version	2.28.0

Summary	0021908: Weakened security headers in 2.0.x
Description	2.0.x comes with http_csp_add( 'style-src', "'unsafe-inline'" ); in http_api.php. We don't allow unsafe-inline styles in 1.3.x.
Tags	csp

yanual 2017-11-06 05:56 reporter ~0058143	Why you don't allow unsafe-inline styles in 1.3.x. ?

atrol 2017-11-06 06:03 developer ~0058144	Why you don't allow unsafe-inline styles in 1.3.x. ? Wrong question, it should be: Why you allow unsafe-inline styles in 2.x? Allowing unsafe-inline styles decreases security. That's why I reported the issue.

dregad 2017-11-06 06:40 developer ~0058147	@yanual I suggested you read https://stackoverflow.com/a/31759553/1045774 for a brief explanation of the potential risks to your site when unsafe-inline styles are allowed.

yanual 2017-11-06 09:11 reporter ~0058148	@atrol your formulation is indeed better. Ok, I will wait patiently for postponement of the treatment of the issue. @degrad i know these risks.