Tighten CSP for styles

[nolanlawson]

The possibility is remote, but a malicious instance could inject CSS within status content or CWs to do a CSS keylogger, and grab things like CWs and toot text while you're composing it.

You would have to log into the instance yourself in order for this to work, there are no password fields in Pinafore, and also JS injection is disabled via CSP, so the potential damage is minimal. But we may as well reduce the attack surface.

Current challenge: lots of inline styles generated by both our app and Sapper that would need to be nonced/checksummed.

[rugk]

JS injection is disabled via CSP,

Only a nit pick, but do not consider the CSP as disabling anything. It is a (admitted good and important) layer of defense, but priority number one is still to fix XSS issues.

But I agree with this issue. Inline styles should be removed, so you can remove 'unsafe-inline' from the style CSP diective. Or you can use nounces or hashes (like you do for the JS)…

https://csp-evaluator.withgoogle.com/ BTW is a good resource.

[nolanlawson]

Related: https://github.com/nolanlawson/pinafore/issues/776

Can't enable this CSP header without having all of our CSS file-based rather than injected as <style> tags.