Gosora icon indicating copy to clipboard operation
Gosora copied to clipboard
verified publisher icon Azareal

Content Security Policy Header

Open Azareal opened this issue 7 years ago • 2 comments

This header can be useful for running scripts which shouldn't, however there are a few spots where we run inline scripts, so we want to make sure we don't end up killing those along with the baddies.

We probably want to start by surveying every spot with inline scripts and going through there, perhaps we can keep them working with a nonce or something while still getting that anti-XSS goodness. There are plenty of resources on the web which go into it, but Troy Hunt as an interesting stance in: https://www.troyhunt.com/locking-down-your-website-scripts-with-csp-hashes-nonces-and-report-uri/

Azareal avatar Jun 25 '18 08:06 Azareal

I added a simple CSP header to automatically upgrade outgoing requests for images to HTTPS to avoid mixed content alerts.

I might add a configuration setting to disable that, if there turn out to be a lot of servers which only run HTTP. A proxy is also an option, although someone might abuse it to DDoS a server.

Azareal avatar Aug 30 '18 01:08 Azareal

I'm in the midst of upgrading the content security policy headers.

  • They should kill off any script which isn't served from the same domain as the current page.
  • They will also kill any inline scripts.

There are a few spots where I use inline scripts however, so they're currently exempt. I am working on converting them away from that though, so that I can set that policy everywhere.

Azareal avatar Mar 04 '19 02:03 Azareal