Security vulnerability

[msitenamic]

Please update the MailWizz script and its Javascript components to run under a hash or nonce per Content Security Policy, and not as 'unsafe-inline' which is a vulnerability in the code.

I look forward to the updated version with this security update.

 

[twisted1919]

I wouldn't say this is a security vulnerability, rather an improvement to the existing security policies.
We provide a hook to set the right content security policy header. By default, we have a loose policy, but you can, at any time, set a different one.
The hook name is content_security_policy_header_policy_directives and you can check the app for it.

Anyway, providing a hash will be a bit difficult given lots of extensions can register their own js and css and we don't know how they do it, i.e: not through the regular registerScript and registerStyle methods.

But yeah, definitely we should try and improve this area.

 

[msitenamic]

Awesome! Looking forward to it