mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2026-01-26 20:19:35 +00:00
vulnerability Path-relative stylesheet import (PRSSI) fix
Threat Relative URLs can be dangerous since browser may not determine the correct directory. If the HTML uses path-relative CSS links, it may be susceptible to pathrelative stylesheet import (PRSSI) vulnerabilities. This could allow an attacker to take advantage of CSS imports with relative URLs by overwriting their target file. Impact An attacker may trick browsers into importing JavaScript or HTML code as a stylesheet. This has been shown to enable a number of different attacks, including cross-site scripting (XSS) and exfiltration of CSRF tokens. Solution It is recommended to use absolute URLs for CSS imports. Alternately you can add the HTML "base" tag in the document which defines the base URL or target location for all the relative URLs. The vulnerability can also be mitigated by using the following best practices to harden the web pages: • Set a DOCTYPE which does not allow Quirks mode as explained at https://hsivonen.fi/doctype/ • Set response header X-Frame-Options: deny • Set response header X-Content-Type-Options: nosniff. ----------- To me the easiest way to fix this, was adding the base URL. :)
This commit is contained in:
Sascha Lenk
GitHub
parent
5b7f44f4ea
commit
3becdd976d
1 changed files with 2 additions and 0 deletions
|
|
@ -4,6 +4,8 @@
|
|||
<meta charset="UTF-8">
|
||||
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
|
||||
|
||||
<base href="{{ app.request.getSchemeAndHttpHost() }}">
|
||||
|
||||
<link rel="manifest" href="{{ asset('manifest.json') }}">
|
||||
|
||||
<meta name="mobile-web-app-capable" content="yes">
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue