This repository was archived by the owner on Nov 24, 2020. It is now read-only.
This repository was archived by the owner on Nov 24, 2020. It is now read-only.
[security] Injected gitbook.page.hasChanged script is not CSP-compatible #56
Description
Gitbook should never use inline scripts (eg. <script>...inline script...</script> ) as this requires adding "unsafe-inline" to the Content-Security-Policy which in turn makes the common XSS case (the inline one) much more easily exploitable.
This is of course not a security vulnerability in Gitbook by itself, just Gitbook makes currently hard to implement CSP properly.
I don't know exactly how Gitbook works, but maybe replacing
<script>
var gitbook = gitbook || [];
gitbook.push(function() {
gitbook.page.hasChanged({...json...});
});
</script>with
<script id="gitbook_page_info" type="text/json">
{...json...}
</script>and the gitbook.js init code could automatically search for this tag (eg. document.getElementById("gitbook_page_info")), parse the JSON and call the page.hasChanged method.