CSP header is missing the `script-src` policy
Opened this issue · 0 comments
nilmerg commented
Describe the bug
The CSP header used by Icinga Web doesn't define a policy for javascript, and thus doesn't prohibit e.g. inlining it.
Expected behavior
script-src 'self';
should be added.
Your Environment
- Icinga Web 2 version and modules (System - About): 2.12.0