P2: CSP allows unsafe-inline for styles — weakens XSS protection #12
Labels
No Label
P0 Critical
P1 High
P2 Medium
P3 Low
accessibility
backend
bug
content
data-integrity
enhancement
frontend
infra
integration
owner
owner-input
performance
performance
phase-7
phase-8
security
seo
ui
ux
No Milestone
No project
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: null/Queue-North-Website#12
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Severity: P2 — Medium
File: server/index.js ~line 102
Problem: styleSrc includes unsafe-inline, which allows inline styles and defeats CSPs primary security benefit.
Impact: XSS vulnerability — attackers can inject inline styles with malicious CSS.
Fix: Use nonce-based CSP for styles instead of unsafe-inline.
Closed in batch 0.6.1. Removed 'unsafe-inline' from CSP styleSrc — verified built SPA has no inline styles, all CSS is in extracted files.