Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement Nonce Based CSP #17

Open
6 tasks
henrym2 opened this issue Jul 28, 2020 · 0 comments
Open
6 tasks

Implement Nonce Based CSP #17

henrym2 opened this issue Jul 28, 2020 · 0 comments
Assignees
@henrym2
Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
Ise web security bundle
Milestone
MVP

Comments

@henrym2
Copy link
Collaborator

henrym2 commented Jul 28, 2020
edited
Loading

Expected Behavior

Nonce based CSP (with respect to script tags) will help to reduce XSS attack surfaces on web applications built with this bundle. The amount of CSP support already built into the Symfony project is somewhat limited. Discussions remain open with regards to implementing some level of the NelmioSecurityBundle which provides CSP for symfony web applications.

This feature regardless of the level of support is non-trivial and likely will involve interfacing with the Twig templating engine to ensure that nonce replacement/insertion is handled correctly.

Steps to Implement Soltution

  • Research CSP modules in Symfony and other bundles
  • Decide on what depth CSP should be implemented in bundle
  • Research bridge between symfony and Twig
  • Construct nonce generation modules
  • Construct Template modification modules
  • Devise implementation guides

Linked

#16
@henrym2 henrym2 added documentation Improvements or additions to documentation enhancement New feature or request labels Jul 28, 2020
@henrym2 henrym2 added this to the MVP milestone Jul 28, 2020
@henrym2 henrym2 self-assigned this Jul 28, 2020
@henrym2 henrym2 moved this from To do to In progress in Ise web security bundle Aug 6, 2020
@henrym2 henrym2 moved this from In progress to To do in Ise web security bundle Aug 27, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@henrym2 henrym2

Labels
documentation Improvements or additions to documentation enhancement New feature or request
Projects
Ise web security bundle
  
To do
Milestone
MVP
Development

No branches or pull requests
1 participant
@henrym2