Use CSP sandbox #168

rugk · 2017-01-31T20:25:18Z

See https://scotthelme.co.uk/csp-cheat-sheet/#sandbox

So what do we need?

Can you confirm this, @elrido?

elrido · 2017-02-01T08:52:25Z

I am quite sure we need almost all of them, so the sandbox directive seems quite pointless for our project.

rugk · 2017-02-01T14:48:05Z

I've already ticked the one we need, …
They should be the minority. At least we do not need the last three.

elrido · 2017-02-01T16:07:39Z

We do use pop-ups (in the page template).

I suspect that sandboxing would break many of our use cases, as:

The sandbox applies a same origin policy, prevents popups, plugins and script execution is blocked.

Source: https://content-security-policy.com/

This would, among other things, break password managers.

rugk · 2017-02-01T17:38:33Z

So I could basically confirm your requirements. Popus are required for the page theme (password entry) and forms are required for the password entry in the bootstrap theme.
I could not confirm that it would break password managers (tried it with FF internal one) and I also do not see why it should. Maybe give it a try.

rugk added the security/privacy label Jan 31, 2017

rugk assigned elrido Jan 31, 2017

elrido assigned rugk and unassigned elrido Feb 1, 2017

rugk closed this as completed in e9b10f9 Feb 1, 2017

rugk mentioned this issue Apr 16, 2021

Restrict form content via CSP #778

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Use CSP sandbox #168

Use CSP sandbox #168

rugk commented Jan 31, 2017 •

edited by elrido

Loading

elrido commented Feb 1, 2017

rugk commented Feb 1, 2017

elrido commented Feb 1, 2017

rugk commented Feb 1, 2017

Use CSP sandbox #168

Use CSP sandbox #168

Comments

rugk commented Jan 31, 2017 • edited by elrido Loading

elrido commented Feb 1, 2017

rugk commented Feb 1, 2017

elrido commented Feb 1, 2017

rugk commented Feb 1, 2017

rugk commented Jan 31, 2017 •

edited by elrido

Loading