Added first version of CSP plugin. #93

mattiasgrenfeldt · 2020-08-17T14:46:09Z

It supports creating custom CSP policies. The interceptor contains two policies, one for enforcement and one for reporting. A default policy based on https://csp.withgoogle.com/docs/strict-csp.html is also provided.

Fixes #74

safehttp/plugins/csp/csp.go

safehttp/plugins/csp/csp_test.go

mattiasgrenfeldt · 2020-08-18T15:13:47Z

I implemented the feedback I got from Rob during the sync. PTAL

safehttp/mux.go

safehttp/plugins/csp/csp.go

safehttp/interceptor.go

safehttp/mux.go

safehttp/plugins/csp/csp.go

safehttp/mux.go

safehttp/plugins/csp/csp.go

safehttp/plugins/csp/csp_test.go

It supports creating custom CSP policies. The interceptor contains two policies, one for enforcement and one for reporting. A default policy based on https://csp.withgoogle.com/docs/strict-csp.html is also provided.

…ing a strict nonce-based CSP and a framing CSP.

mattiasgrenfeldt · 2020-08-20T12:34:51Z

Rebasing on top of master so that tests don't fail anymore

safehttp/mux_test.go

safehttp/plugins/csp/csp_test.go

safehttp/plugins/csp/csp.go

…lder.

safehttp/mux_test.go

safehttp/plugins/csp/csp.go

safehttp/plugins/csp/csp_test.go

…eaders close to eachother.

…ion instead of each time Before is called.

safehttp/plugins/csp/csp.go

safehttp/plugins/csp/csp_test.go

safehttp/plugins/csp/csp.go

…for CSP.

…mic as a fall back mechanism

safehttp/plugins/csp/csp_test.go

mattiasgrenfeldt added enhancement New feature or request plugin labels Aug 17, 2020

mattiasgrenfeldt requested review from kele, empijei and maramihali August 17, 2020 14:46

mattiasgrenfeldt self-assigned this Aug 17, 2020

kele requested changes Aug 18, 2020

View reviewed changes

mattiasgrenfeldt requested a review from kele August 18, 2020 08:33

empijei suggested changes Aug 18, 2020

View reviewed changes

kele reviewed Aug 18, 2020

View reviewed changes

safehttp/plugins/csp/csp_test.go Outdated Show resolved Hide resolved

mattiasgrenfeldt requested review from kele and empijei August 18, 2020 13:14

kele reviewed Aug 18, 2020

View reviewed changes

safehttp/mux.go Show resolved Hide resolved

kele reviewed Aug 18, 2020

View reviewed changes

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

mattiasgrenfeldt requested a review from kele August 19, 2020 06:32

mattiasgrenfeldt mentioned this pull request Aug 19, 2020

Add Trusted Types policy to CSP plugin #99

Closed

kele requested changes Aug 19, 2020

View reviewed changes

safehttp/interceptor.go Outdated Show resolved Hide resolved

safehttp/mux.go Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

mattiasgrenfeldt requested a review from kele August 19, 2020 13:31

kele requested changes Aug 20, 2020

View reviewed changes

safehttp/mux.go Outdated Show resolved Hide resolved

safehttp/mux.go Show resolved Hide resolved

safehttp/plugins/csp/csp.go Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

kele reviewed Aug 20, 2020

View reviewed changes

safehttp/plugins/csp/csp_test.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp_test.go Outdated Show resolved Hide resolved

mattiasgrenfeldt requested a review from kele August 20, 2020 11:19

mattiasgrenfeldt added 8 commits August 20, 2020 14:33

Added first version of CSP plugin.

272367c

It supports creating custom CSP policies. The interceptor contains two policies, one for enforcement and one for reporting. A default policy based on https://csp.withgoogle.com/docs/strict-csp.html is also provided.

Type only needed on first constant in block

f96f9c9

Refactored PolicyDirective to not contain readRand.

e55f09c

Nits in comments fixed.

55821a2

Changed Policy.Serialize to improve readability.

b66450b

Removed nonces from context for now

cc0c89c

Removed the ability to set general CSPs. Added constructors for creat…

68fbd0c

…ing a strict nonce-based CSP and a framing CSP.

Increased nonce size from 8 to 20 bytes

e124396

Assert in test that nonce is always set in context.

df8bc5a

mattiasgrenfeldt force-pushed the grenfeldt-csp-plugin-first-version branch from b73021b to df8bc5a Compare August 20, 2020 12:34

maramihali suggested changes Aug 24, 2020

View reviewed changes

mattiasgrenfeldt added 2 commits August 24, 2020 11:26

Renamed TestNonce, wantEnforcementPolicy and subtest name.

f7df283

Added descriptions of fields in FramingPolicyBuilder and StrictCSPBui…

b040a8c

…lder.

mattiasgrenfeldt requested a review from maramihali August 24, 2020 09:43

mattiasgrenfeldt mentioned this pull request Aug 24, 2020

Add a set of hashes to the CSP plugin #111

Closed

empijei suggested changes Aug 24, 2020

View reviewed changes

mattiasgrenfeldt added 8 commits August 24, 2020 16:55

Removed 'if true' in panickingInterceptor and just panic instead.

ee842b5

Added and rephraes comments

0dc28e0

Removed TODO and added a more descriptive panic when entropy runs out.

d3743da

Updated Nonce to return an error instead of using in-band errors.

4454e08

Moved the claiming of headers close to eachother and the setting of h…

ef824ed

…eaders close to eachother.

Changed dummyReader to endlessAReader

c6c2e4c

Perform the split of enforcement vs report-only policies at construct…

56a6971

…ion instead of each time Before is called.

Changed WriteString to WriteByte when only writing one byte.

dde48c2

mattiasgrenfeldt requested a review from empijei August 25, 2020 09:41

maramihali suggested changes Aug 26, 2020

View reviewed changes

empijei reviewed Aug 26, 2020

View reviewed changes

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

safehttp/plugins/csp/csp.go Outdated Show resolved Hide resolved

mattiasgrenfeldt added 4 commits August 26, 2020 12:37

Renamed variables in Before to uniformly use CSP as the abbreviation …

2a96046

…for CSP.

Fixed spelling error: wantEnforcPolicy -> wantEnforcePolicy

bef61a5

Moved https: and http: to only be specified together with strict-dyna…

d10678a

…mic as a fall back mechanism

Changed strict-dynamic to be enabled by default

f603928

mattiasgrenfeldt requested review from empijei and maramihali August 26, 2020 11:02

maramihali approved these changes Aug 26, 2020

View reviewed changes

safehttp/plugins/csp/csp_test.go Show resolved Hide resolved

empijei approved these changes Aug 28, 2020

View reviewed changes

empijei merged commit 5c6aabe into master Aug 28, 2020

mattiasgrenfeldt deleted the grenfeldt-csp-plugin-first-version branch August 28, 2020 12:51

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Added first version of CSP plugin. #93

Added first version of CSP plugin. #93

mattiasgrenfeldt commented Aug 17, 2020

mattiasgrenfeldt commented Aug 18, 2020

mattiasgrenfeldt commented Aug 20, 2020

Added first version of CSP plugin. #93

Added first version of CSP plugin. #93

Conversation

mattiasgrenfeldt commented Aug 17, 2020

mattiasgrenfeldt commented Aug 18, 2020

mattiasgrenfeldt commented Aug 20, 2020