You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This library probably should not be used in production, however it's not uncommon to sacrifice security for convenience. There's a good guidance on practices to avoid security issues if devs opt-in to use it in non-dev environments, but I think that having a GET parameter that allows injection of 3rd party scripts is too permissive and easy to exploit. I believe this behavior should be disabled by default, or at least there's should be an option to disable it.
I'd appreciate any thoughts on this and will be happy to help with the PR if this proposal sounds sensible.
The text was updated successfully, but these errors were encountered:
There should be a differentiation between whitelisting/allowed hostnames to override from vs. CSP script sources. Loading a script from a known source shouldn't imply any JS hosted on those hostnames are valid overridables.
Ex: I wish to load specific JS files from jsDelivr.com, but do not wish for ?imo to accept any script from jsDelivr as valid overrides.
This would lead to an XSS attack.
This library probably should not be used in production, however it's not uncommon to sacrifice security for convenience. There's a good guidance on practices to avoid security issues if devs opt-in to use it in non-dev environments, but I think that having a GET parameter that allows injection of 3rd party scripts is too permissive and easy to exploit. I believe this behavior should be disabled by default, or at least there's should be an option to disable it.
I'd appreciate any thoughts on this and will be happy to help with the PR if this proposal sounds sensible.
The text was updated successfully, but these errors were encountered: