-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: add content security policy header #172
Conversation
Deploying with Cloudflare Pages
|
0fcc485
to
df29e91
Compare
packages/edge-gateway/src/gateway.js
Outdated
|
||
clonedResponse.headers.set( | ||
'content-security-policy', | ||
"connect-src 'self'; script-src 'self'" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should use default-src
otherwise embedded content could be used to sidestep restrictions here e.g. embed image from URL passing secret as query param or part of the path, font, css etc....
"connect-src 'self'; script-src 'self'" | |
"default-src 'self'; script-src 'self'" |
- We should utilize report-uri directive to collect data about what resources get blocked & inform our future decisions by it.
- I don't know how common it is, but I think there is no reason to not allow
unsafe-inline
(along withself
) so that inline scripts, css will continue to work. Without it script tags and style tags will be ignored unless I'm mistaken. - We may also want to enable
unsafe-eval
, I don't see a reason to block JS eval as some pages may be using them. On the other hand we can also not enable and see if they get reported. - I also think
data:*
andblob:*
URLs could be enabled as those can not be utilized for data smuggling. - I think
default-src
does not covernavigato-to
so we should restrict that as well, otherwise attacker can simply make a submit button be a link that takes you to adversaries site delivering stolen secret as query param or even a URL path fragment. - It looks like
default-src
does not coverform-action
either which again could be used to steal data via HTML forms.
I think if we add all the above we should cover all the possibilities, but then again CSPs are notoriously complicated so I think we should have at some tests to verify desired behavior.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for all these details @Gozala ❤️
- Definitely, I will create an issue to get that part of Malware mitigation initiative given we need to add an endpoint, persist data and see how to act from there
- Agreed, adding that ✅
- it should be fine to also add, but yeah let's wait and see if issues are reported
- makes total sense thanks, didn't find these in mdn docs but now I see they are part of the spec ✅
- yeah,
default-src
follows only*-src
.navigate-to
looks experimental and not supported in any browser yet. I will add anyway as is part of the spec ✅ - ✅ like
navigate-to
, it only makes senseself
in this scenario
I think if we add all the above we should cover all the possibilities, but then again CSPs are notoriously complicated so I think we should have at some tests to verify desired behavior.
Definitely, I want to try a few of the reported CIDs with this and have a look on the behaviour. Once we have it in staging, I will be able to test it. Later on, we can actually consider having real tests part of the test suite, but this will be quite tricky and time consuming for now
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added work track for report-uri
at 2nd point in https://hackmd.io/@vasco-santos/rJWZsz-Cc
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me
Based on proposal from @Gozala https://gozala.io/workspace/#/page/ipfs%20content-security-policy let's add Content-Security-Policy header to only allow requests within same origin.
This is added to the response from the gateway race before it is cached, so that responses from cache will also have the header already set.