1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
-
+
-
-
+
+
|
Security Considerations
=======================
Wapp strives for security by default. Applications can disable security
features on an as-needed basis, but the default setting for security
features is always "on".
Security features in Wapp include:
1. The default
[Content Security Policy](https://en.wikipedia.org/wiki/Content_Security_Policy)
of "CSP"
("CSP")
for all Wapp applications is _default-src 'self'_. In that mode,
resources must all be loaded from the same origin, the use of
eval() and similar commands in javascript is prohibited, and
no in-line javascript or CSS is allowed. These limitations help
keep applications safe from
[XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting)
attacks, even in the face of application coding errors. If these
[XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting),
even in the face of application coding errors. If these
restrictions are too severe for an application, the CSP can be
relaxed or disabled using the
"[wapp-content-security-policy](commands.md#csp)" command.
2. Access to GET query parameters and POST parameters is prohibited
unless the origin of the request is the application itself, as
determined by the Referrer field in the HTTP header. This feature
|