CSP hardening: Prevent outgoing connections to anyone, but 'self' #272
Labels
Comments
rugk
added a commit
that referenced
this issue
Jan 6, 2018
rugk
added a commit
that referenced
this issue
Jan 6, 2018
|
CSP won't work against data exfiltration (check slide 25) :/ |
|
Uh, yeah, thanks. It is also possible to exfiltrate data via WebRTC, which is not really covered in the CSP spec. Anyway, I think, we could make it harder by using the CSP. |
elrido
moved this from To do
to Backlog
in Release 1.3 - Review & refactor paste format
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
After reading https://medium.com/@david.gilbertson/im-harvesting-credit-card-numbers-and-passwords-from-your-site-here-s-how-9a8cb347c5b5, I've had a look at our CSP…
Basically it is about the fact that you can (and should) use your CSP to limit outgoing connections so even if malicious JS is injected (by third-parties, not by the server admin), you can be sure data is sent nowhere else.
So how is our CSP?
It explicitly allows these connections… 😢 (
connect-src *)Currently, because of the plan to do #2 this is useful, but this feature prevents this security enhancement.
So what can you do as an admin? (or what can we do to enable it by default?)
Just set
connect-srctoconnect-src ''self'and addform-action 'none';to prevent bypassing that… (BTW: I've added that form action thing in the latest master.)That's it! As long as #2 is not implemented, all features should work.
The text was updated successfully, but these errors were encountered: