You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on Nov 24, 2020. It is now read-only.
Gitbook should never use inline scripts (eg. <script>...inline script...</script> ) as this requires adding "unsafe-inline" to the Content-Security-Policy which in turn makes the common XSS case (the inline one) much more easily exploitable.
This is of course not a security vulnerability in Gitbook by itself, just Gitbook makes currently hard to implement CSP properly.
I don't know exactly how Gitbook works, but maybe replacing
and the gitbook.js init code could automatically search for this tag (eg. document.getElementById("gitbook_page_info")), parse the JSON and call the page.hasChanged method.
Gitbook should never use inline scripts (eg.
<script>...inline script...</script>) as this requires adding "unsafe-inline" to the Content-Security-Policy which in turn makes the common XSS case (the inline one) much more easily exploitable.This is of course not a security vulnerability in Gitbook by itself, just Gitbook makes currently hard to implement CSP properly.
I don't know exactly how Gitbook works, but maybe replacing
with
and the
gitbook.jsinit code could automatically search for this tag (eg.document.getElementById("gitbook_page_info")), parse the JSON and call thepage.hasChangedmethod.