Are they just an issue with wefwef or trying to use an exploit
To prevent execution of scripts not referenced with the correct nonce:
script-src 'self' 'nonce-$RANDOM'
To make it super strict, this set could be used:
default-src 'self';
script-src 'nonce-$RANDOM'
object-src 'none';
base-uri 'none';
form-action 'none';
frame-ancestors 'none';
frame-src 'none';
require-trusted-types-for 'script'
Especially the last one might cause the most work, because the “modern web development environment” simply cannot provide this. Also: form-action 'none'; should be validated. It should be set to self if forms are actually used to send data to the server and not handled by Javascript.
The MDN has a good overview: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy
I don’t know what Lemmy uses tbh. I don’t even know if the code would work when run. Like i don’t know e.g. if they grab the username(?) correctly. I just understand their intentions but yeah their execution might be horrible.
I’d be willing to bet they’re using the API to make all the changes. The cookie has the jwt token. I don’t believe you need the username (at least judging by the js API docs).
