Our web security company after scanning our domains identified an issue with our vBulletin-based server. It seems there is a security risk for omitting the Content-Security-Policy HTTP in our responses. We have manage to make the site continue to operation using:
Content-Security-Policy default-src http:; script-src http: 'unsafe-inline' 'unsafe-eval'; style-src http: 'unsafe-inline’
However, most their security scans (and many others we have tried) have failed the site for allowing inline Javascript and CSS.
We are on release 5.1.6 Patch level 1 of vBulletin. Are there plans to move Javascript and CSS away from being returned inline as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ? If this has been corrected already please let me know what version this was on.
Content-Security-Policy default-src http:; script-src http: 'unsafe-inline' 'unsafe-eval'; style-src http: 'unsafe-inline’
However, most their security scans (and many others we have tried) have failed the site for allowing inline Javascript and CSS.
We are on release 5.1.6 Patch level 1 of vBulletin. Are there plans to move Javascript and CSS away from being returned inline as described here: https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP ? If this has been corrected already please let me know what version this was on.
Comment