hjmaier Posted May 6, 2018 Posted May 6, 2018 Dear developers, I know, that CSP is nothing the software hast to deal with, but a guidline which CSP we should use to make IPB secure would be great. I am currently struggling with it myslef and have some trouble to get the scripts in the admin center to work. For you, the developer of this software it would be easy to tell us a good policy. This would also solve some issues with privacy, since we could block unwanted content.
Colonel_mortis Posted May 6, 2018 Posted May 6, 2018 Unfortunately the editor uses inline scripts, and there's no way to avoid that with the current editor (it currently uses CKEDITOR 4, and it's fixed in 5, but that is a huge change which drops support for all existing plugins and all but the most recent browsers, so isn't something that IPS can even begin to consider until at least 4.4, and quite possibly later). If you enable unsafe-inline in your CSP, it makes it effectively useless, because in almost all cases if you can inject a script hosted on a remote site, you can inject the script body locally. A CSP is a security feature rather than a solution for privacy or unwanted content - there shouldn't be anything that you, as the site owner, don't want in the first place.
AlexWright Posted May 6, 2018 Posted May 6, 2018 23 minutes ago, Colonel_mortis said: A CSP is a security feature rather than a solution for privacy or unwanted content - there shouldn't be anything that you, as the site owner, don't want in the first place. Well, I mean there's a whole slough of content I don't want on the site....but I have moderators to deal with that.
hjmaier Posted May 7, 2018 Author Posted May 7, 2018 @Colonel_mortis Thank you for your answer. I totally agree with you about the meaning if csp and what it is made for. But: As a european, I have to deal with the new privacy laws (GDPR). CSP would be a way to filter iframes and similar old content, before I can get rid of them/alter them to something compliant. My Forum has almost 3 Million postings. It will take a bit to find a good sloloution for old content. And yes, unfortunately, the new law is really strict.
Recommended Posts
Archived
This topic is now archived and is closed to further replies.