New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a Content Security Policy #486

Open
pushcx opened this Issue May 2, 2018 · 5 comments

Comments

Projects
None yet
2 participants
@pushcx
Member

pushcx commented May 2, 2018

When we update to Rails 5.2 we'll have access to its support for CSP.

@freddyb

This comment has been minimized.

freddyb commented Nov 9, 2018

It's been a while since I coded things in ruby. But as a first starting point, I browsed lobsters with the Firefox Laboratory Extension that infers a good CSP header for select web pages:

What it inferred was
default-src 'none'; img-src *; style-src 'self' 'unsafe-inline'; form-action 'self';

(img-src is *, because submission text Markdown can contain arbitrary images.).

The page page doesn't seem to use anything fancy, so I'm somewhat confident that it won't break things.

@pushcx

This comment has been minimized.

Member

pushcx commented Nov 9, 2018

Sounds like a good start. We prohibit images in markdown and locally cache gravatars for privacy, so img-src can probably be 'self'.

Looks like we only have five small inline <script> tags in app/views, no href="javascript: (false hit for the story submission bookmarlet), and no inline <style> tags. That's few enough that we should try to tidy them into application.js.erb so we can remove 'unsafe-inline'. That XSS prevention might be the biggest value we get out of CSP.

@freddyb

This comment has been minimized.

freddyb commented Nov 9, 2018

@freddyb

This comment has been minimized.

freddyb commented Nov 10, 2018

Sorry, I was on mobile. An example post that makes it necessary to add image-src * is this announcement at https://lobste.rs/s/jg3eet - unless there is an easy way to rewrite and proxy those images after the fact?

@freddyb

This comment has been minimized.

freddyb commented Nov 10, 2018

Finding this inline script it probably makes sense to start two meta bugs: One for removing inline scripts and one for removing inline styles. The first one resolved might lead to a first, simpler policy being enabled, depending on time in between.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment