Icinga/icingaweb2

CSP header is missing the `script-src` policy

Opened this issue 5 months ago · 0 comments

nilmerg commented 5 months ago

Describe the bug

The CSP header used by Icinga Web doesn't define a policy for javascript, and thus doesn't prohibit e.g. inlining it.

Expected behavior

script-src 'self'; should be added.

Your Environment

Icinga Web 2 version and modules (System - About): 2.12.0