bloom icon indicating copy to clipboard operation
bloom copied to clipboard

Published 20 hours ago verified publisher icon bloomwalletio

️🛠 - [Task tracker] Improve Content Security Policies

Open nicole-obrien opened this issue 1 year ago • 2 comments

Task description

Fix issue reported here: [Transak] Missing Content Security Policy Directives in Bloom Application

We need to define more strict content security policies for our app to make it more secure, this is the list of policies that we can add/improve:

  • [x] #2144
  • [x] default-src
  • [x] connect-src
  • [x] img-src
  • [x] base-uri
  • [x] form-action
  • [x] frame-src
  • [ ] ~frame-ancestors~ Should be in request headers, not in <meta>
  • [x] worker-src
  • [x] script-src-attr
  • [x] style-src-elem
  • [x] style-src-attr
  • [x] object-src
  • [x] media-src
  • [x] font-src
  • [x] manifest-src
  • [ ] ~prefetch-src~ Unrecognized directive
  • [x] navigate-to
  • [ ] ~report-to~ Needs to add Sentry endpoint
  • [ ] ~sandbox~ Should be in request headers, not in <meta>
  • [x] upgrade-insecure-requests

Requirements

No response

nicole-obrien avatar Mar 01 '24 15:03 nicole-obrien

Transak window loads a remote URL, so CSP for it is not in our control, the issue is related to the HTMLs that we are loading, like index.html, error.html and about.html, I will fix them

jeeanribeiro avatar Mar 11 '24 22:03 jeeanribeiro

Also investigate frame-src inside index.html.

Tuditi avatar Mar 13 '24 15:03 Tuditi