bitrated icon indicating copy to clipboard operation
bitrated copied to clipboard

Published 20 hours ago verified publisher icon shesek

Content-Security-Policy

Open shesek opened this issue 10 years ago • 0 comments

Should use the following header:

Content-Security-Policy:
  default-src https://www.bitrated.com/;
  frame-src 'none';
  object-src 'none';
  connect-src https://www.bitrated.com/ https://blockchain.info/ https://coinb.in/;
  report-uri /csp-violation/

This is pretty much as strict as it can get. This instructs the browser to:

  • Block resources that don't originate from bitrated.com over SSL
  • Block XmlHttpRequests except for blockchain.info and coinb.in APIs
  • Block inline scripts
  • Block eval (not that it does much against XSS, but why not)
  • Block iframes and objects completely (those aren't currently used)
  • Send violation reports to an API endpoint.

Todo:

  • [ ] Move inline script that tests browser support to a separate file
  • [ ] Check for other inline script usages (there shouldn't be any)
  • [ ] Add header on dev environment
  • [ ] Ensure nothing breaks (mostly by disallowing eval - not used in Bitrated, but might be used in one of the libraries)
  • [ ] API for violation reports, forward to email
  • [ ] Update security page
  • [ ] Push live

shesek avatar Jan 24 '14 13:01 shesek