|
|
@@ -11,7 +11,7 @@
|
|
|
>
|
|
|
> Each finding is referenced as **F<N>** for later citation.
|
|
|
>
|
|
|
-> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (23 fixed, 19 open).
|
|
|
+> **Findings rolled up:** 5 sev-3 (5 fixed, 0 open), 27 sev-2 (27 fixed, 0 open), 42 sev-1 (24 fixed, 18 open).
|
|
|
|
|
|
---
|
|
|
|
|
|
@@ -1845,6 +1845,24 @@
|
|
|
into a packaged `/assets/app.js`, lets the CSP drop the
|
|
|
`'unsafe-inline'` token.
|
|
|
- **Severity: 1**
|
|
|
+- **Status:** Fixed by the F24 fix (`193f646`). Both migration paths
|
|
|
+ the SEC_REVIEW recommended were applied:
|
|
|
+ 1. Per-page inline scripts in `pages/ips/detail.twig`,
|
|
|
+ `pages/categories/edit.twig`, `pages/policies/edit.twig`, and
|
|
|
+ `pages/audit/index.twig` are gone — their behaviour was moved
|
|
|
+ into Alpine components in the packaged `ui/resources/js/app.js`,
|
|
|
+ loaded via `<script src="/assets/app.js" defer>` in `layout.twig`.
|
|
|
+ 2. The single remaining inline `<script>` (the dark-mode FOUC
|
|
|
+ preloader in `layout.twig` — has to stay inline because `app.js`
|
|
|
+ is `defer`red and runs after layout) now carries
|
|
|
+ `nonce="{{ csp_nonce }}"`, where `csp_nonce` is minted per
|
|
|
+ request by `App\Http\CspMiddleware` and matched on the response's
|
|
|
+ `Content-Security-Policy` header.
|
|
|
+ Result: `script-src` is now `'self' 'nonce-…'` only —
|
|
|
+ `'unsafe-inline'` is gone. `grep -rn "<script" ui/resources/views`
|
|
|
+ returns exactly the two layout.twig hits (one inline-with-nonce,
|
|
|
+ one external src). Closing F56 for bookkeeping; no new code change
|
|
|
+ needed.
|
|
|
|
|
|
### F57 — Session cookie name lacks `__Host-` prefix
|
|
|
- **File:** `ui/src/Auth/SessionManager.php:23, 54-62`
|
chiappa