Skip to content

CSP String vs. Array Bug
Compare
Choose a tag to compare
@designfrontier designfrontier released this 03 Feb 14:37
· 911 commits to master since this release
v2.3.3
d079381

This release also covers v2.2.3, v2.1.2

A bug was discovered that caused Content Security Policy generation to crash the server if CSPs were set as strings in the security config object instead of as an array of values. This is now corrected. The real problem was that this lacked documentation, and so was something that caused real world problems.

Now either arrays of options, or strings containing the options are supported.

This crash also only happened if someone using a version of Firefox between 4 and 23 visited the site in question and the site was using 'unsafe-inline' in its styleSrc directive.

Assets 2
Loading