|
|
|
|
|
|
by allan_s
437 days ago
|
|
|
my point is that all your templates are at thend coded by human that make mistakes https://nvd.nist.gov/vuln/detail/CVE-2024-6578 , you may be not using "dangerouslySetInnerHTML" directly but your dependencies may > What you use as an example has nothing to do with inline/"external" scripts at all, but everything to do with setting DOM contents vs text content. I fail to understand your point (it's certainly an understanding problem on my side) What I wanted to express is that:
1. you can with some CSP forbid loading of cross origin script (i.e forbid hacker.ru/toto.js ) to be loaded
2. but even if you do this, you also want to block inline script (or use inline+nonce) because evil script can be executed from within your origin by using a vulnerability somehwere between the code and the final dom > This would have been the exact same hole regardless if it was put there/read by external/inline JavaScript. yes we both agree that it's the same vulnerability at the end, i'm just saying that you can arrive there from different path, and these different path are protected by different CSP mechanism |
|
|