Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
Doesn’t Lemmy use HttpOnly cookies? This would fix any js based exploit.
Also, strict CSP would prevent it entirely.
out of curiosity, what CSP options would fix this?
To prevent execution of scripts not referenced with the correct nonce:
script-src 'self' 'nonce-$RANDOM'To make it super strict, this set could be used:
default-src 'self'; script-src 'nonce-$RANDOM' object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; frame-src 'none'; require-trusted-types-for 'script'Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also:
form-action 'none';should be validated. It should be set toselfif forms are actually used to send data to the server and not handled by Javascript.The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
deleted by creator
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
deleted by creator