Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
General:

HTML code is passed on lines 31-56. This code was without a CSP,
leaving it vulnerable. A strict CSP was added on lines 35-38.

Notes:

1. VS Code documentation, as well as other recommendations on CSP's,
use default-src 'none'. However, after reviewing the CSP's added in
Pull Request '#'1020, I followed the convention of
default-src vscode-resource. Make sure this is the level of security
wanted, rather than the more secure 'none'.

2. form-action and frame-ancestors are included because these two
directives do not automatically use the default-src permission of
the CSP and must be explicitly set.

3. img-src includes https: as recommended by VS Code documentation for
CSP's. I also included vscode-resource, but I did not include data:
because I don't understand why it's used in Pull Request '#'1020.
If you would like me to include data: let me know, and I will add it to
the CSP.

4. script-src and style-src have 'self' included, but if this is
redundant after specifying vscode-resource, let me know and I will
remove the 'self' value. By including 'self' it whitelists all scripts
and styles originating from the URL of the project website.

5. script-src and style-src also have 'unsafe-inline' included, as they
were included in the CSP's in Pull Request '#'1020, but it is
recommended that SHA-256 be used when possible instead. script-src
can use a SHA-256 hash of scripts, but I'm not sure if style-src can
as well. Regardless, I continued using 'unsafe-inline' to match the
other CSP's in the project, and because I didn't want to break any of
the project's current functions by using too strict of a CSP.
  • Loading branch information
TantumErgo authored and shanalikhan committed Sep 12, 2019
1 parent 4e307d4 commit a424071
Showing 1 changed file with 4 additions and 0 deletions.
4 changes: 4 additions & 0 deletions src/service/github.oauth.service.ts
Original file line number Diff line number Diff line change
Expand Up @@ -32,6 +32,10 @@ export class GitHubOAuthService {
<html lang="en">
<head>
<meta charset="utf-8">
<meta
http-equiv="Content-Security-Policy"
content="default-src vscode-resource:; form-action vscode-resource:; frame-ancestors vscode-resource:; img-src vscode-resource: https:; script-src 'self' 'unsafe-inline' vscode-resource:; style-src 'self' 'unsafe-inline' vscode-resource:;"
/>
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
</head>
<body>
Expand Down

0 comments on commit a424071

Please sign in to comment.