You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I don't think this would fix anything at all. The whole CSP is aimed at protecting a HTML page (so that a malicious injected script/resource cannot do much harm), but the reported vulnerability considers attacker connecting to the (unprotected) websocket endpoint. The endpoint itself has no notion of CSP/protection.
The websocket endpoint is missing CSRF (CSWSH) protection, allowing a malicious website to control the client.
The text was updated successfully, but these errors were encountered: