Set a Content-Security-Policy header on account/admin related forms

XMLWordPrintable

    • Type: Improvement
    • Resolution: Fixed
    • Priority: Normal
    • 2020-09-21
    • Affects Version/s: None
    • Component/s: None
    • None

      https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP

      This can help prevent XSS/click-jacking on forms that are intended to be secure. For example, we can block all scripts from running on the change-password form unless they specifically come from musicbrainz.org or staticbrainz.org. (This header may interfere with userscripts on editing forms, so I'd leave it unset there.)

            Assignee:
            Michael Wiencek
            Reporter:
            Michael Wiencek
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated:
              Resolved:

                Version Package
                2020-09-21