Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve default Content-Security-Policy value #224

Merged
merged 2 commits into from
Mar 26, 2019
Merged

Improve default Content-Security-Policy value #224

merged 2 commits into from
Mar 26, 2019

Conversation

LeoColomb
Copy link
Member

@LeoColomb LeoColomb commented Mar 24, 2019
edited
Loading

@quantumpacket
Copy link
Contributor

In all honesty from a security perspective the CSP should be deny everything for all directives by default. Then whitelist per directive as needed. That's the most secure and least shoot your security in the foot scenario by accident.

@LeoColomb
Copy link
Member Author

Thanks for your comment, @quantumpacket! 👍
What values do you suggest?

@quantumpacket
Copy link
Contributor

@LeoColomb these would be more restrictive baseline CSPs templates. This way the application has a secure starting point, and an admin can then loosen it if needed.

CSP2:

Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; require-sri-for script style; sandbox; base-uri 'none'

CSP3: (some experimental directives, browser support will vary)

Content-Security-Policy: default-src 'none'; frame-ancestors 'none'; form-action 'none'; upgrade-insecure-requests; block-all-mixed-content; disown-opener; require-sri-for script style; sandbox; base-uri 'none'; navigate-to: 'none';

@LeoColomb LeoColomb mentioned this pull request Mar 25, 2019
Merged
@LeoColomb
Copy link
Member Author

Thanks @quantumpacket.
See answers here: h5bp/server-configs-apache#181 (comment)
You can join the discussion there. 🙂

@Malvoz
Copy link

Malvoz commented Mar 25, 2019

require-sri-for <style|script> tells the browser that the document must provide SRI metadata for all resources of that type (style and/or script). This may break functionality as not all eligible resource responds with CORS headers.

Unfortunately there is currently no way (maybe in the future) for this CSP directive to provide any granular control by saying "hey! require SRI for only this one script". It's all or nothing, and I think this is why the directive has seen limited usage amongst developers. (You can still opt-in for SRI matching by setting the integrity attribute to the desired <script> or <link> elements).

So I'd say no to require-sri-for as a default.

The navigate-to CSP spec description says:

[...] an enforcement on what navigations this document initiates not on what this document is allowed to navigate to.

This is a tad bit confusing but it seems to suggest that If I (abc.xyz) would set navigate-to https://example.com then if a user clicks <a href="https://not.example.com"> then https://not.example.com is only allowed to navigate to https://example.com?

Personally I don't think that's a good default because I'd imagine the majority of website owners do not care for, or want that type of restriction (maybe something an advertiser would want to use). I'd even go as far as to say that such a behavior (navigation blocking) doesn't match users expectations of how the web works.

The directive is under development still:
https://www.chromestatus.com/feature/6457580339593216
https://bugzilla.mozilla.org/show_bug.cgi?id=1529068

@quantumpacket

I've addressed my approach to most of the other directives that you mentioned in h5bp/server-configs-apache#181 (comment).

@LeoColomb LeoColomb merged commit 276af8d into master Mar 26, 2019
@LeoColomb LeoColomb deleted the feat/csp branch March 26, 2019 11:41
memuller added a commit to memuller/nginx-config that referenced this pull request Aug 26, 2019
@memuller
Merge branch 'master' of github.com:h5bp/server-configs-nginx
3e2bcbb 
* 'master' of github.com:h5bp/server-configs-nginx: (92 commits)
  Additional compression method added for gzip (h5bp#236)
  Bump server-config-test to 1.2.1
  Switch tertiary DNS used for OCSP checking to OpenDNS (h5bp#235)
  Revert "Drop Cache-Control: no-transform usage"
  Release v3.1.0
  Fix CHANGELOG formatting
  Use generic `$host` instead of host name
  Pre-compressed content usage config files
  Fix rebase artifacts
  Documentation formatting and reviewing (h5bp#232)
  Fix 304 responses Cache-control override
  Fix dropped Cache-Control: no-transform usage for SVGZ Compression
  Bump server-configs-test to v1.1.0
  Improve wording and file headers
  Drop Cache-Control: no-transform usage
  Add Google Public DNS IPv6 and Cloudflare DNS IP addresses to `resolver` (h5bp#229)
  Fix misc typos in comments (h5bp#228)
  Update README.md
  Fix typo in example conf (h5bp#226)
  Improve default Content-Security-Policy value (h5bp#224)
  ...
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@LeoColomb @quantumpacket @Malvoz