New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Content Security Policy (CSP) #468
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As the Travis build shows: the indentation is "wrong" and a newline is missing at the end.
Voilà! :) |
@Changaco Would you like to set up report-uri.io? It's a fantastic tool for CSP violation reporting. |
Otherwise, would it be fine with you if I merge this PR? |
I'm not comfortable merging this yet, I want to make sure it won't break anything first. I've created an account on report-uri.io and claimed the liberapay subdomain. |
I'm working on testing and completing this PR. As I feared the proposed policy is too strict. Firstly, it always tries to force HTTPS, which is good in production, but not good for local development. Secondly, it breaks the credit card form: |
I've added I've switched the policy to report-only, so we can test it for a few days/weeks before enforcing it. |
@EdOverflow Please review. ;-) |
Very impressive work @Changaco! As you stated we will need to add a specific directive for |
This is deployed.
https://report-uri.io/home/analyse shows no errors besides warning that |
Content Security Policy (CSP) is a security mechanism that allows web sites control how browsers process their pages. In essence, sites can restrict what types of resources are loaded and from where. CSP policies can be used to defend against cross-site scripting, prevent mixed content issues, as well as report violations for investigation.