Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Propose an alternate default CSP policy
This is related to rails/rails#24961 where I proposed a default CSP, but the idea was rejected due to lack of a CSP management API. The proposed policies are not the same, as there is some room for debate. With the exception of `object-src` becoming `'none'`, this policy should be a non-breaking change for applications. Considering it's in a generator, there's less risk of breaking things. Reasonings: - Changing `object-src` to `'none'` - `object-src` is very dangerous. Using a value of `'self'` opens up a lot of cross-origin bypasses mostly via flash or pdf bugs. - `img-src` gets `https data:` added - while sourcing 3rd party images can lead to defacement if the underlying tags reference undesirable content, the goal here is to eliminated mixed content. `data:` is safe as a default. - `style-src` gets `'unsafe-inline' https:'` - while "scriptless" attacks exist, restricting inline style is not a realistic goal. So much so that a 3rd `'unsafe'` value had been discussed but it was too complex and nobody cared enough to make it happen. Inline styles are safe enough. Similarly, almost any style is safe from a security point of view so let's just prevent mixed content here too. - Removing `referrer` and `reflected-xss` - these are non-standard at this point. I don't think these are well supported either. Glad to add these back. More proposed changes: - (breaking change) default `script-src` to be `https:` - using `'self'` opens you up to jsonp attacks. In a lot of cases, people bundle assets on a CDN. Using `'self'` is mostly for convenience when developing locally. While closing the jsonp loophole is nice, maybe allowing any `https` worse. - Adding `https: data;` to font-src - this is _mostly_ safe.
- Loading branch information