Content Security Policy 馃泜 #11591
Replies: 3 comments 8 replies
-
Adding my use case/situation for your consideration: I am currently using Helmet, and do not want to allow |
Beta Was this translation helpful? Give feedback.
-
Pretty much every security scanner out there will flag https://observatory.mozilla.org/ This needs to be addressed. It makes it difficult to pitch MeteorJS as a "very secure" platform, when it generates "mediocre" scores from the security scanners. |
Beta Was this translation helpful? Give feedback.
-
Is this by any chance something that is fixed in Meteor 3? As @cormip mentioned - the mediocre security scores generated by the inclusion of unsafe-eval can cause issues (and is doing so in our case). Are there any other workarounds? |
Beta Was this translation helpful? Give feedback.
-
For a while there has been a discussion about Content Security Policy and how to proceed with it.
#9689
#11424
#10704
And more in old feature requests.
I'm now concentrating the discussion here.
I'm proposing that we upgrade the existing packages to use Helmet under the hood and wire up all the additional options so that devs don't have to worry about those things like nonce generation and provide good defaults.
Thoughts?
Beta Was this translation helpful? Give feedback.
All reactions