An option to disable overrides via GET parameter #103
Comments
|
We would greatly benefit from this as well. There should be a differentiation between whitelisting/allowed hostnames to override from vs. CSP script sources. Loading a script from a known source shouldn't imply any JS hosted on those hostnames are valid overridables. Ex: I wish to load specific JS files from jsDelivr.com, but do not wish for |
|
Could we get this fix patched? |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This library probably should not be used in production, however it's not uncommon to sacrifice security for convenience. There's a good guidance on practices to avoid security issues if devs opt-in to use it in non-dev environments, but I think that having a GET parameter that allows injection of 3rd party scripts is too permissive and easy to exploit. I believe this behavior should be disabled by default, or at least there's should be an option to disable it.
I'd appreciate any thoughts on this and will be happy to help with the PR if this proposal sounds sensible.
The text was updated successfully, but these errors were encountered: