While implementing Helmet in a project, a dev in our team found the below issue:
Helmet by default applies the following csp directive
script-src-attr 'none';
This csp directive prevents inline events (or static events) such as onChange causing these to fail. This directive should be set as follows for these events to work
script-src-attr 'unsafe-inline';
However, this directive is not exposed in the server configuration in wappler. Ideally, all the directives that helmet sets by default for csp should be exposed for the user to edit.
If not, thenuseDefaults should be set to false, to prevent helmet from merging managed csp directives to its defaults.
we carefully choose the defaults that are secure but also Wappler's App Connect and Server Connect needs to function.
Otherwise if you just choose the full Helmet defaults - the scripts will be blocked and your site will not function.
Will see if we can add more available options, so you can set them yourself. You can already just type custom options if not available to pick and press enter to complete them.
Hi @George
Please read the issue again. It is a bug.
We are not asking to reduce security in any form. Static events are also part of how Wappler functions, and that does not work because there is no option to set script-src-attrin the UI currently.