Tomasz Wrobel
Tomasz Wrobel
@kamranahmedse - would you consider implementing this hack (https://github.com/kamranahmedse/driver.js/issues/133#issuecomment-549714982) into driver.js?
I had the same problem and @Moon1102 solution works great. Thanks! @kamranahmedse - it would be worth to add additional parameter to handle it through Driver contructor rather then overwriting...
I totally agree with @Sjord comment: [here](https://github.com/OWASP/ASVS/issues/1297#issuecomment-1214133989). IMO the end solution should be minimum set of CSP rules that should be applied at each level eg. not allowing `script-src=unsafe-inline` from...
I would recommend the following: ### For the CSP section description: Any new web project should have a CSP implemented at the beginning of the project and initially be set...
@elarlang - I get your point that initial CSP wouldn't work for some projects. How about the following CSP section description? > Any new web project should have a CSP...
@tghosth - it's testable as it requires verification of the CSP response header. @jmanico - it's a good point to include Nonce although it's important that it's generated every time...
I agree that loading scripts with nonce is more secure then allow list but I am not sure if ASVS should force it and force 'strict-dynamic'. Maybe it should be...
Yes it is, but I still believe that together we can come up with some general minimum CSP requirements in ASVS
Is it planned to be fixed anytime soon? (e.g. in upcoming Highcharts v.11?)
@pawelfus is the fix planned any time soon (e.g. this year)?