more CSP policies?
Currently we use the following CSP settings:
connect-src
default-src
script-src
style-src
A testing website (https://csp-evaluator.withgoogle.com/) recommends to add:
-
object-src 'none'
doc- the repository does not contain any
object
html entities, thus this should cause no harm
- the repository does not contain any
-
require-trusted-types-for 'script';
doc- I am not sure, whether our frontend code would have problems with this setting
Any opinions?