New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for Content Security Policy #2134
Comments
Issue left open to keep this in mind, but most inline scripts (especially in stat pages) would be quite a burden to externalize I think |
Having had a bit more of a look around I can see what you mean. There is another mechanism in CSP that could allow these to be whitelisted with minimal effort, it's called a nonce-source.
You inject a random nonce into the CSP header and then add that to the nonce attribute of script or style tags on the pages.
This way the browser can still effectively whitelist our inline content and block any malicious scripts/styles. |
Yes. You're absolutely right.
Yes again. But currently YOURLS is absolutely not oriented for CSP compliance, and doing it would introduce a complete YOURLS rewrite (a least for the front end). |
@LeoColomb you could do this using the nonce mechanism quite easily without rewriting any code. All you need to do is insert the nonce into the CSP header and then inject the nonce attribute into script tags 👍 |
@LeoColomb @ScottHelme randomly generated for each request of course ;-) |
@albocc yes, of course, but that doesn't have any requirement for them to rewrite existing code to accommodate it :-) |
Content Security Policy is a modern browser security feature and support for using CSP in YOURLS would be a significant step forwards.
The biggest problem for deploying CSP in YOURLS right now is that there are several inline scripts in pages that means the 'unsafe-inline' keyword is required in a CSP, vastly reducing the protection offered. Inline script tags are injected into pages in many locations such as:
https://github.com/YOURLS/YOURLS/blob/master/includes/functions-html.php#L871
If these scripts could be externalised then deploying CSP in YOURLS would require minimal additional effort as content is loaded from the host. For testing purpose you can issue the following HTTP response header to configure CSP:
This header will not have any negative effects as it is report only mode, check the console as you navigate the site for errors. I'm happy to provide input where needed!
The text was updated successfully, but these errors were encountered: