Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add a Content Security Policy #486

Closed
pushcx opened this issue May 2, 2018 · 5 comments
Closed

Add a Content Security Policy #486

pushcx opened this issue May 2, 2018 · 5 comments

Comments

@pushcx
Copy link
Member

@pushcx pushcx commented May 2, 2018

When we update to Rails 5.2 we'll have access to its support for CSP.

@freddyb
Copy link

@freddyb freddyb commented Nov 9, 2018

It's been a while since I coded things in ruby. But as a first starting point, I browsed lobsters with the Firefox Laboratory Extension that infers a good CSP header for select web pages:

What it inferred was
default-src 'none'; img-src *; style-src 'self' 'unsafe-inline'; form-action 'self';

(img-src is *, because submission text Markdown can contain arbitrary images.).

The page page doesn't seem to use anything fancy, so I'm somewhat confident that it won't break things.

@pushcx
Copy link
Member Author

@pushcx pushcx commented Nov 9, 2018

Sounds like a good start. We prohibit images in markdown and locally cache gravatars for privacy, so img-src can probably be 'self'.

Looks like we only have five small inline <script> tags in app/views, no href="javascript: (false hit for the story submission bookmarlet), and no inline <style> tags. That's few enough that we should try to tidy them into application.js.erb so we can remove 'unsafe-inline'. That XSS prevention might be the biggest value we get out of CSP.

@freddyb
Copy link

@freddyb freddyb commented Nov 9, 2018

@freddyb
Copy link

@freddyb freddyb commented Nov 10, 2018

Sorry, I was on mobile. An example post that makes it necessary to add image-src * is this announcement at https://lobste.rs/s/jg3eet - unless there is an easy way to rewrite and proxy those images after the fact?

@freddyb
Copy link

@freddyb freddyb commented Nov 10, 2018

Finding this inline script it probably makes sense to start two meta bugs: One for removing inline scripts and one for removing inline styles. The first one resolved might lead to a first, simpler policy being enabled, depending on time in between.

thomasdziedzic added a commit to thomasdziedzic/lobsters that referenced this issue Jun 26, 2019
thomasdziedzic added a commit to thomasdziedzic/lobsters that referenced this issue Jun 26, 2019
@pushcx pushcx closed this in #698 Jul 2, 2019
pushcx added a commit that referenced this issue Jul 2, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

2 participants