Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.
I don’t know what Lemmy uses tbh. I don’t even know if the code would work when run. Like i don’t know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
Doesn’t Lemmy use HttpOnly cookies? This would fix any js based exploit.
Also, strict CSP would prevent it entirely.
out of curiosity, what CSP options would fix this?
To prevent execution of scripts not referenced with the correct nonce:
script-src 'self' 'nonce-$RANDOM'
To make it super strict, this set could be used:
default-src 'self'; script-src 'nonce-$RANDOM' object-src 'none'; base-uri 'none'; form-action 'none'; frame-ancestors 'none'; frame-src 'none'; require-trusted-types-for 'script'
Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also:
form-action 'none';
should be validated. It should be set toself
if forms are actually used to send data to the server and not handled by Javascript.The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
I don’t know what Lemmy uses tbh. I don’t even know if the code would work when run. Like i don’t know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
Someone said they think it is to know if the user is admin. I haven’t verify it. And I tried to make clear that username was a guess.