Using content-security-policy on a ZK based site

asked 2017-04-18 15:10:17 +0800

michaelh gravatar image michaelh
27 1

Has anyone setup a Content Security Policy to prevent XSS attacks with the website is based on ZK. It appears from my experimenting that default-src needs 'unsafe-eval' in order for a ZK site to work. I believe that this attribute 'unsafe-eval' compromises the integrity of the content security policy where users could inject javascript in a eval clause.

It would be nice to hear from ZK on any recommendations they have regarding this. I appreciate feed back from anyone else too.

delete flag offensive retag edit
Be the first one to answer this question!
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

1 follower



Asked: 2017-04-18 15:10:17 +0800

Seen: 19 times

Last updated: Apr 18 '17

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More