0

Using content-security-policy on a ZK based site

asked 2017-04-18 15:10:17 +0800

michaelh gravatar image michaelh
27 1

Has anyone setup a Content Security Policy to prevent XSS attacks with the website is based on ZK. It appears from my experimenting that default-src needs 'unsafe-eval' in order for a ZK site to work. I believe that this attribute 'unsafe-eval' compromises the integrity of the content security policy where users could inject javascript in a eval clause.

It would be nice to hear from ZK on any recommendations they have regarding this. I appreciate feed back from anyone else too.

delete flag offensive retag edit
Be the first one to answer this question!
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow
1 follower

RSS

Stats

Asked: 2017-04-18 15:10:17 +0800

Seen: 19 times

Last updated: Apr 18 '17

Related questions

java.lang.ClassNotFoundException: org.zkoss.zk.ui.http.HttpSessionListener

A special search box

Design your own zk theme roller

getting null on @Listen("onEventEdit = #calendars") event SelectorComposer<Component> on clustered environment

zk7 maven releases

How can I change less file runtime?

ZK 7.0.3 Execution.createcomponents updating screen

Accounting App in ZK

Session Invalidate causing desktop variable to null

Improvement for ZK Bind

About Us | Faq | Help | Privacy Policy | Contact Us
Copyright Potix Corporation 2015.
Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More