New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
INVESTIGATION/FIX: Security - CSP - why are we using "report only" not "block" in CSP? #399
Comments
Triage 17: estimated dev time 4 hours. |
Progress
Open questions
Resources:
|
ConclusionsTLDR: Cannot use "Block" as ID-card plugin and some other plugins will not work. "Report-only" also has limited usefulness due to very high noise. Reasons why we cannot use "block"
Reasons why CSP current implementation is quite uselessCSP was designed for site owners to protect their Users from malicious code that could be run in User context when the site has a XSS vulnerability. Idea is CSP was to define safe list of sources and behaviours, everything outside of it would be blocked and/or reported. Ideally you would like to block and report so that if there is an XSS attach, it would not run in User context and reporting would alert site owners of an attach. BUT:
How Citizen OS should move forward?I suggest:
|
I agree. Should we create a corresponding issue in our Github, to be able to prioritize, who and when should work on it?
How would we know, if it has a serious User impact or not? |
Created but forgot to link. Here it is - citizenos/citizenos-fe#422
It's Open Source, I created an issue to the project - open-eid/chrome-token-signing#158
That's a tough one, really tough one. |
Legally reviewed, no additions. |
Investigation
Why are we using "report only" for CSP violations, why are we not blocking the requests?
Requires extensive testing of signing and authentication. We MAY have issues with the id-card signing browser extension. Also, MAY have issue in one browser but not in another etc.
Why?
If we really have a nasty violation, let's say a malicious 3rd party script is loaded, we would like to block it, not just report it.
TODO:
The text was updated successfully, but these errors were encountered: