the secure PHP framework


Security Headers on Banshee v5.0

15 April 2017, 18:09
Banshee version : 5.0
PHP version : 7.x
Hiawatha version : 10.5

When using Security Headers "Content-Security-Policy", Banshee v5.0 requires to use "unsafe-eval" and "unsafe-inline" for "script-src". Otherwise, some links in the control panel of Banshee v5.0 do not work.

Any idea?
Hugo Leisink
21 April 2017, 13:33
Yes, Banshee requires 'unsafe-inline' and 'unsafe-eval'. But although it's called 'unsafe', Banshee is not. Not every usage of inline links and scripts is unsafe, so I don't agree with calling those settings 'unsafe-*'. It gives a false idea about what's going on.