Add Content Security Policy (CSP)

[EdOverflow]

Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.

[Changaco]

As the Travis build shows: the indentation is "wrong" and a newline is missing at the end.

[EdOverflow]

Voilà! :)

[EdOverflow]

@Changaco Would you like to set up report-uri.io? It's a fantastic tool for CSP violation reporting.

[EdOverflow]

Otherwise, would it be fine with you if I merge this PR?

[Changaco]

I'm not comfortable merging this yet, I want to make sure it won't break anything first.

I've created an account on report-uri.io and claimed the liberapay subdomain.

[Changaco]

I'm working on testing and completing this PR. As I feared the proposed policy is too strict.

Firstly, it always tries to force HTTPS, which is good in production, but not good for local development.

Secondly, it breaks the credit card form: Content Security Policy: The page’s settings blocked the loading of a resource at https://homologation-webpayment.payline.com/webpayment/getToken (“default-src http://localhost:8339”).

[Changaco]

I've added connect-src * as a workaround, we can try to narrow that down in a future PR.

I've switched the policy to report-only, so we can test it for a few days/weeks before enforcing it.

[Changaco]

@EdOverflow Please review. ;-)

[EdOverflow]

Very impressive work @Changaco! As you stated we will need to add a specific directive for connect-src. When you decide to deploy this, please remember to analyse the CSP header with https://report-uri.io/home/analyse.

[Changaco]

This is deployed.

 %  curl -I 'https://liberapay.com/'                                                                                                                                                                            31/12/16 11:09:33
HTTP/1.1 200 OK
Date: Sat, 31 Dec 2016 10:09:40 GMT
Content-Type: text/html; charset=UTF-8
Connection: keep-alive
Set-Cookie: __cfduid=...; expires=Sun, 31-Dec-17 10:09:40 GMT; path=/; domain=.liberapay.com; HttpOnly
X-Xss-Protection: 1; mode=block
Content-Security-Policy-Report-Only: default-src 'self';script-src 'self' 'unsafe-inline';style-src 'self' 'unsafe-inline';connect-src *;img-src *;reflected-xss block;report-uri https://liberapay.report-uri.io/r/default/csp/reportOnly;upgrade-insecure-requests;block-all-mixed-content;
Cache-Control: no-cache
X-Frame-Options: SAMEORIGIN
Set-Cookie: csrf_token=...; Domain=.liberapay.com; expires=Sat, 07 Jan 2017 10:09:40 GMT; Path=/; secure
Vary: Accept-Encoding
Strict-Transport-Security: max-age=15552000; includeSubDomains
X-Content-Type-Options: nosniff
Server: cloudflare-nginx
CF-RAY: 319ceff21a02102b-CDG

https://report-uri.io/home/analyse shows no errors besides warning that unsafe-inline is unsafe.