New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Switch Content Security Policy from report-only to enforceable #498
Conversation
From the CSP reports we've received so far it looks like we need to change |
I'm seeing reports for |
I'm also seeing reports for |
@Changaco FWIW you can send |
0464807
to
ba6f188
Compare
I've dropped I've also added |
I'll merge this tomorrow unless there are objections. Ping @EdOverflow. |
b"script-src %(main_domain)s 'unsafe-inline';" | ||
b"style-src %(main_domain)s 'unsafe-inline';" | ||
b"default-src 'self' %(main_domain)s;" | ||
b"script-src 'self' %(main_domain)s 'unsafe-inline';" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The comment above this section of code suggests that we are using this CSP to prevent XSS, but by using 'unsafe-inline'
you are doing precisely the opposite.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Proof of concept: http://output.jsbin.com/segekehedo.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We're not ready to drop 'unsafe-inline'
. It's still better to have some protection than none at all.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@Changaco, I agree, but is there a ticket addressing this concern somewhere?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is now: #879.
In #468 we opted to start with a report-only policy. This PR is so we don't forget to switch to enforcement mode. I want to wait a little while longer and analyze the reports before merging this.