<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
Viktor,<br>
<br>
Agreed, I should move the JS out of the template files. I've just
never had a good reason to do so before, so never bothered. :-)<br>
<br>
I'll add it to the list of jobs to do.<br>
<br>
Cheers,<br>
Jules.<br>
<br>
<div class="moz-cite-prefix">On 22/02/2019 7:40 am, Viktor Steinmann
via ZendTo wrote:<br>
</div>
<blockquote type="cite"
cite="mid:WM!58da5aaa7d95165f3e9efd93b92acfa3288c240fa07bc9a2ff6e75d29d0f472e8bcd1e1fb7b118e58704623bf74312f1!@mx.jul.es">Good
morning all
<br>
<br>
I have been playing around with Content Security Headers for
ZendTo, but didn't manage to get them completely right. Does
someone have a working set of of CSP headers available to share?
<br>
<br>
While we're at it: Inline JavaScript kills part of any CSP, as it
required an "unsafe-inline" part in the policy. If all JavaScript
could be extracted from the HTML and put into separate .js files,
the CSP could be tightened even more. Increasing security would be
cool, right? ;-)
<br>
<br>
Kind regards,
<br>
<br>
Viktor
<br>
<br>
<br>
_______________________________________________
<br>
ZendTo mailing list
<br>
<a class="moz-txt-link-abbreviated" href="mailto:ZendTo@zend.to">ZendTo@zend.to</a>
<br>
<a class="moz-txt-link-freetext" href="http://jul.es/mailman/listinfo/zendto">http://jul.es/mailman/listinfo/zendto</a>
<br>
</blockquote>
<br>
<pre class="moz-signature" cols="72">Jules
--
Julian Field MEng CEng CITP MBCS MIEEE MACM
'Find a place inside where there's joy, and the joy will burn out
the pain.' - Joseph Campbell
<a class="moz-txt-link-abbreviated" href="http://www.Zend.To">www.Zend.To</a>
Twitter: @JulesFM
</pre>
</body>
</html>