Firstyear

> I'm fairly involved in RustCrypto, would happily handle the versions. Realistically the issue is an external consumer of tss-esapi here - they need to keep everything in lockstep, and...

@yaleman Could be related to some of the ongoing issues re cookies, we have a fix awaiting release that may help, but csp smells a bit like something different.

@yaleman I think you know more about this than me, can I leave it with you?

@yaleman Is there a risk to adding 127.0.0.1 and localhost here in our csp rule?

So does that mean it has to be per-route?

I think there aren't actually many of those, it would just be from the app portal wouldn't it?

@yaleman Our csp header is global at the moment, not per route, so that would make it harder. But tbh, I think if localhost can't be trusted .... well that's...

@yaleman Thoughts? I don't want this to be configurable, but I also don't see how csp affects app handler urls. I'd say if we want to do this "properly" then...

https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Content-Security-Policy/form-action It's a bit rough, because then we are signaling this form can post to any of those locations really. I wonder if there is a stupider and simpler way...

https://github.com/w3c/webappsec-csp/issues/8