This repository has been archived by the owner on Sep 7, 2023. It is now read-only.
Handle double-bang redirections better for CSP #3262
Labels
Comments
|
I somehow managed to open this in the completely wrong repository... But I will leave it open here though in case this is an issue that vanilla searx suffers from. Feel free to close if this is not applicable. |
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Is your feature request related to a problem? Please describe.
When using double-bangs with POST requests, the site you will be redirected to must be added to
form-actionCSP else it will be blocked for violation.Describe the solution you'd like
Find a way to not send form data when redirecting to another site with double-bangs so that every engine does not need to be added to CSP.
Describe alternatives you've considered
Started adding sites to CSP—it quickly becomes unmaintainable.
Example
On my server, try to search for "Nagios !!alternativeto". Since
I did not add
alternativeto.nettoform-action, this is the result:Additional context
Related: searxng/searxng#140
The text was updated successfully, but these errors were encountered: