New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add a Content Security Policy #486
Comments
It's been a while since I coded things in ruby. But as a first starting point, I browsed lobsters with the Firefox Laboratory Extension that infers a good CSP header for select web pages: What it inferred was (img-src is The page page doesn't seem to use anything fancy, so I'm somewhat confident that it won't break things. |
Sounds like a good start. We prohibit images in markdown and locally cache gravatars for privacy, so Looks like we only have five small inline |
I found inline `style=` attributes though.
Also images from imgur.com because (at least older posts) allowed images in markdown in the submission text only. Found some older mrta-posts from jcs.
But yeah, nothing that can be fixed probably. I'd personally go with something more lax and a stricter one that's report-only.
|
Sorry, I was on mobile. An example post that makes it necessary to add |
Finding this inline script it probably makes sense to start two meta bugs: One for removing inline scripts and one for removing inline styles. The first one resolved might lead to a first, simpler policy being enabled, depending on time in between. |
When we update to Rails 5.2 we'll have access to its support for CSP.
The text was updated successfully, but these errors were encountered: