pub-dev icon indicating copy to clipboard operation
pub-dev copied to clipboard
verified publisher icon dart-lang

harden CSP policies further

Open jonasfj opened this issue 6 years ago • 3 comments

Check: https://csp-evaluator.withgoogle.com It seems it's not enough to trust specific domains.

We should probably use:

  • hash, and,
  • strict-dynamic
  • block-all-mixed-content

jonasfj avatar Aug 14 '19 10:08 jonasfj

Or nonce as this yields shorter headers and we are slowly giving up caching of rendered HTML.

jonasfj avatar Oct 09 '19 11:10 jonasfj

This is still valid

sigurdm avatar Mar 09 '23 10:03 sigurdm

This is still valid.

We might have to integrate deeper with dartdoc's templates to prevent problems from occuring.

sigurdm avatar Feb 01 '24 09:02 sigurdm