Skip to content
GitLab
Projects Groups Snippets
  • /
  • Help
    • Help
    • Support
    • Community forum
    • Submit feedback
    • Contribute to GitLab
  • Sign in
  • lemonldap-ng lemonldap-ng
  • Project information
    • Project information
    • Activity
    • Labels
    • Members
  • Repository
    • Repository
    • Files
    • Commits
    • Branches
    • Tags
    • Contributors
    • Graph
    • Compare
  • Issues 311
    • Issues 311
    • List
    • Boards
    • Service Desk
    • Milestones
  • Merge requests 6
    • Merge requests 6
  • CI/CD
    • CI/CD
    • Pipelines
    • Jobs
    • Schedules
  • Deployments
    • Deployments
    • Environments
    • Releases
  • Packages and registries
    • Packages and registries
    • Container Registry
  • Monitor
    • Monitor
    • Incidents
  • Analytics
    • Analytics
    • Value stream
    • CI/CD
    • Repository
  • Snippets
    • Snippets
  • Activity
  • Graph
  • Create a new issue
  • Jobs
  • Commits
  • Issue Boards
Collapse sidebar
  • LemonLDAP NGLemonLDAP NG
  • lemonldap-nglemonldap-ng
  • Issues
  • #2514
Closed
Open
Issue created Apr 23, 2021 by Maxime Besson@maxbes🔧Maintainer

improve Content-Security-Policy handling

Summary

The way CSP currently works could be improved. Currently all the work is done in sendHtml()

Heuristics, feature tests and regexps are used to populate the CSP, combined with user-defined options

We should instead let each module/LLNG feature handle its own CSP (see $req->data->{cspFormAction}).

Design proposition

Example of a better API, in Choice.pm

$req->setCSP("form-action", $url);

or when embedding an iframe:

$req->setCSP("frame-src", $url);

( see also #2513 (closed) )

Assignee
Assign to
Time tracking