Author Topic: XSS Security Question  (Read 5190 times)

Offline Loguithat1955

  • Full Member
  • ***
  • Posts: 54
XSS Security Question
« on: January 10, 2018, 06:13:34 AM »
After creating 2 plugins I tried to make them a little bit safer. One of the things I noticed was that the plugins do not work with very restrictive CSP configurations. In particular, these are unsafe-inline and unsafe-eval. I would not consider this critical, but at least it would be a "nice-to-have". But even if I customize my own plugins, Roundcube itself doesn't work anymore when I apply the mentioned CSP rules, because many functions from Roundcube itself also need the above mentioned rules.

So I wanted to ask if it is planned to change JavaScript and Co. in Roundcube so that the above rules are no longer needed? Is there already a kind of roadmap or an approximate time schedule?

Offline alec

  • Hero Member
  • *****
  • Posts: 1,363
Re: XSS Security Question
« Reply #1 on: January 10, 2018, 09:34:11 AM »
There's no such plan yet.