P2: CSP allows unsafe-inline for styles — weakens XSS protection #12

Closed
opened 2026-05-13 20:40:03 -05:00 by null · 1 comment
Owner

Severity: P2 — Medium

File: server/index.js ~line 102

Problem: styleSrc includes unsafe-inline, which allows inline styles and defeats CSPs primary security benefit.

Impact: XSS vulnerability — attackers can inject inline styles with malicious CSS.

Fix: Use nonce-based CSP for styles instead of unsafe-inline.

## Severity: P2 — Medium **File:** server/index.js ~line 102 **Problem:** styleSrc includes unsafe-inline, which allows inline styles and defeats CSPs primary security benefit. **Impact:** XSS vulnerability — attackers can inject inline styles with malicious CSS. **Fix:** Use nonce-based CSP for styles instead of unsafe-inline.
null added the
P2 Medium
security
backend
labels 2026-05-17 14:25:55 -05:00
null closed this issue 2026-05-17 16:10:00 -05:00
Author
Owner

Closed in batch 0.6.1. Removed 'unsafe-inline' from CSP styleSrc — verified built SPA has no inline styles, all CSS is in extracted files.

Closed in batch 0.6.1. Removed 'unsafe-inline' from CSP styleSrc — verified built SPA has no inline styles, all CSS is in extracted files.
Sign in to join this conversation.
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
The due date is invalid or out of range. Please use the format 'yyyy-mm-dd'.

No due date set.

Dependencies

No dependencies set.

Reference: null/Queue-North-Website#12
No description provided.