Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
General: HTML code is passed on lines 31-56. This code was without a CSP, leaving it vulnerable. A strict CSP was added on lines 35-38. Notes: 1. VS Code documentation, as well as other recommendations on CSP's, use default-src 'none'. However, after reviewing the CSP's added in Pull Request '#'1020, I followed the convention of default-src vscode-resource. Make sure this is the level of security wanted, rather than the more secure 'none'. 2. form-action and frame-ancestors are included because these two directives do not automatically use the default-src permission of the CSP and must be explicitly set. 3. img-src includes https: as recommended by VS Code documentation for CSP's. I also included vscode-resource, but I did not include data: because I don't understand why it's used in Pull Request '#'1020. If you would like me to include data: let me know, and I will add it to the CSP. 4. script-src and style-src have 'self' included, but if this is redundant after specifying vscode-resource, let me know and I will remove the 'self' value. By including 'self' it whitelists all scripts and styles originating from the URL of the project website. 5. script-src and style-src also have 'unsafe-inline' included, as they were included in the CSP's in Pull Request '#'1020, but it is recommended that SHA-256 be used when possible instead. script-src can use a SHA-256 hash of scripts, but I'm not sure if style-src can as well. Regardless, I continued using 'unsafe-inline' to match the other CSP's in the project, and because I didn't want to break any of the project's current functions by using too strict of a CSP.
- Loading branch information