Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

'unsafe-inline' in style-src directive capping score to A when it should probably not #100

Open
joelbourbon opened this issue Aug 12, 2021 · 2 comments
Open

'unsafe-inline' in style-src directive capping score to A when it should probably not #100

joelbourbon opened this issue Aug 12, 2021 · 2 comments

Comments

@joelbourbon
Copy link

joelbourbon commented Aug 12, 2021
edited
Loading

Hi,

I recently reworked my CSP rules to try and get an A+ using your tooling.
I adjusted my CSP rules using the Google Tooling --> https://csp-evaluator.withgoogle.com/

According to their evaluation, having 'unsafe-inline' in style-src directive is not an issue.

Would me nice to have both your tools agree on the severity of this ;)

Thanks,

image
@ScottHelme
Copy link
Collaborator

I’m still considering removing the unsafe-inline cap for style-src, there have been other developments in this space too.

@Seirdy
Copy link

Seirdy commented Oct 23, 2022

@ScottHelme I disagree that unsafe-inline styles should allow an A+. The point of a "+" should be distinguishing sites that go beyond basic expectations (i.e. getting an "A").

I like the idea of "one grade that shows every security header is set with maximum protections". I wouldn't want to lose that. Perhaps there should be an "A++" grade that forbids unsafe directives and requires other headers (COEP, COOP, etc).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@joelbourbon @ScottHelme @Seirdy