Hello,
I know that the nature of Wappler is to create inline javascript inside html elements, like: onclick
and every dynamic event that fire a inline javascript.
Maybe will be an opportunity to refactor the way that Wappler create Dynamic Events as inline javascript and allow modern CSP-compliant style, this is moving every inline javascript into a separate file and allow into the property windows to add the tag “integrity” to allow write the “hashes” or “nonces”, and maybe, just maybe generate automatically on every <script>
and <style>
tag the propper integrity, something like this: https://www.srihash.org/.
Right now in an Sample Audit review, checking about Cross-Site-Scripting, in the CSP rules, Wappler did not pass.
With this in mind, how secure is a made with Wappler web or app without this rules?
Last updated: