developer.chrome.com icon indicating copy to clipboard operation
developer.chrome.com copied to clipboard

Published 20 hours ago verified publisher icon GoogleChrome

Revamp CSP policy for DCC / web.dev

Open devnook opened this issue 2 years ago • 2 comments

We need to:

  • set up proper CSP policy for DCC
  • provide way to enable external and inline scripts compliant with the policy on DCC
  • review policy for web.dev
  • consider performance implications of sending big CSP headers payload on each request
  • write up documentation on the final solution

devnook avatar Oct 10 '22 15:10 devnook

CSP headers should also go per route to prevent bloating headers with nonces for scripts not used on every page. For web.dev we ship roughly 2.8KB of CSP headers for every request right now.

matthiasrohmer avatar Oct 11 '22 08:10 matthiasrohmer

To provide a little initial context and direction. We should aim to implement as per https://web.dev/strict-csp/

To clarify: I don't believe that dcc or web.dev use nonces in the CSP sense. They send per script hashes. Ideally we would make use of the nonce approach, but this may simply not be possible with statically generated sites as we would need to insert a different nonce in the HTML on each request.

rowan-m avatar Oct 11 '22 14:10 rowan-m