New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feat: Implement strict Content Security Policy #1358
Conversation
* disallow base-uri * disallow object-src * disallow unsafe-inline for script-src * require nonce for script-src
use the more generic $.ajax() to download the script and apply the nonce before execution
sentry has out of the box support for receiving CSP reports https://docs.sentry.io/product/security-policy-reporting/
18c068c
to
6a22665
Compare
6a22665
to
02b5ef9
Compare
👀 Finished code reviewing this earlier. Still need to run through manual testing steps listed in pull request description |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Tested appcontainer, devcontainer, with and without ReCAPTCHA. LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I tested the appcontainer and devcontainer
Closes #212
Also adds a new environment variable to configure the CSP
report-uri
Report Directive.Note:
report-uri
is being deprecated in favor ofreport-to
, but the latter lacks full browser support at this time. See above MDN link for more.This can be used to send CSP violation reports to Sentry, which has out of the box support for Security Policy Reporting.
Notes for reviewers
font-src
)