Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Add support for Content Security Policy #2134
Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.
The biggest problem for deploying CSP in YOURLS right now is that there are several inline scripts in pages that means the 'unsafe-inline' keyword is required in a CSP, vastly reducing the protection offered. Inline script tags are injected into pages in many locations such as:
If these scripts could be externalised then deploying CSP in YOURLS would require minimal additional effort as content is loaded from the host. For testing purpose you can issue the following HTTP response header to configure CSP:
This header will not have any negative effects as it is report only mode, check the console as you navigate the site for errors. I'm happy to provide input where needed!
Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.
You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.
This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles.
Yes. You're absolutely right.
Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end).