Really? I’ve just had a search on here and found only one topic, with no replies. I take it from that there isn’t much activity on the subject, I’ll make the devs aware of your question.
If you think there are issues in the phpBB3-core, feel free to open a bug report in the tracker and contribute to the code by pull requests
CSP even comes up with directives to allow that.
phpBB alone can't do that for you - you have to know yourself how to set i.e. img-src.
Yes, since 3.1 phpBB also uses external resources (like
//maxcdn.bootstrapcdn.com) and everybody should be aware of this questionable approach.
May I add: the "and" is the most important word here, as creating a bug ticket alone is not enough for most developers, regardless of the amount of details - if you don't come up with a GIT pull request consider it a waste of time and effort.
Yes, but inline js/styles by using nonces or hashes is an extension of CSP (version 2 or even 3), which is not supported by all browsers, whereas CSP version 1 is supported even by MSIE 11.
This has nothing to do with the topic. CSP is not a replacement for any security measures and CSP cannot be replaced by other security measures. If you don't know what CSP does, pleas look it up.
^ This. Security audits do not mean phpBB is safe full-stop, end of story. They are AWESOME, and it's AWESOME that phpBB takes it this seriously, but all a security audit means is it's safe to attacks the auditing company knew of and tested for at that time. It should go without saying that it's literally impossible for a company to audit against vulnerabilities that unknown at the time, and the CSP is a prevenative measure to potential future vulnerabilities. One does not negate the other, they are two completely seperate tools and method that simply happen to share a similar end-goal - Keep your website safe.dbj wrote: ↑Fri Feb 02, 2018 1:43 pmThis has nothing to do with the topic. CSP is not a replacement for any security measures and CSP cannot be replaced by other security measures. If you don't know what CSP does, pleas look it up.
Users browsing this forum: No registered users and 31 guests