Add a Content Security Policy

[pushcx]

When we update to Rails 5.2 we'll have access to its support for CSP.

[freddyb]

It's been a while since I coded things in ruby. But as a first starting point, I browsed lobsters with the Firefox Laboratory Extension that infers a good CSP header for select web pages:

What it inferred was
default-src 'none'; img-src *; style-src 'self' 'unsafe-inline'; form-action 'self';

(img-src is *, because submission text Markdown can contain arbitrary images.).

The page page doesn't seem to use anything fancy, so I'm somewhat confident that it won't break things.

[pushcx]

Sounds like a good start. We prohibit images in markdown and locally cache gravatars for privacy, so img-src can probably be 'self'.

Looks like we only have five small inline <script> tags in app/views, no href="javascript: (false hit for the story submission bookmarlet), and no inline <style> tags. That's few enough that we should try to tidy them into application.js.erb so we can remove 'unsafe-inline'. That XSS prevention might be the biggest value we get out of CSP.

[freddyb]

I found inline `style=` attributes though. Also images from imgur.com because (at least older posts) allowed images in markdown in the submission text only. Found some older mrta-posts from jcs. But yeah, nothing that can be fixed probably. I'd personally go with something more lax and a stricter one that's report-only.

[freddyb]

Sorry, I was on mobile. An example post that makes it necessary to add image-src * is this announcement at https://lobste.rs/s/jg3eet - unless there is an easy way to rewrite and proxy those images after the fact?

[freddyb]

Finding this inline script it probably makes sense to start two meta bugs: One for removing inline scripts and one for removing inline styles. The first one resolved might lead to a first, simpler policy being enabled, depending on time in between.