New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Feature-Policy header #142
Conversation
Možná by šlo sloučit skládání s content security policy - ten skládací cyklus je úplně stejný - ale nechtěl jsem moc měnit existující kod, takhle je jasné co to dělá. |
src/Bridges/HttpDI/HttpExtension.php
Outdated
@@ -26,6 +26,7 @@ class HttpExtension extends Nette\DI\CompilerExtension | |||
'frames' => 'SAMEORIGIN', // X-Frame-Options | |||
'csp' => [], // Content-Security-Policy | |||
'csp-report' => [], // Content-Security-Policy-Report-Only | |||
'fp' => [], // Feature-Policy |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
'feature-policy' => []
is IMHO better
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I thought so too, but I wanted to keep the same scheme as ´csp´.
You thumb-uped my comment about reusing the code from csp loading, but I am not sure what it means - should I keep it separate or should I reuse the code (in some function for example)? In my other pr #143 I modified the csp loading loop (whitelist keywords). That makes reusing out of question, what do you think? |
I think that reusing is good idea. |
Would not it be better to make list of words that must be quoted? |
I thought about it for a while and decided otherwise because of various reasons:
Well, now while writing this I realised that current implementation doesn't support hash whitelisting.
Hash definition doesn't pass regex and gets inserted without quotes. |
I'll write properties here and let you decide how should we proceed. Quoted:
Not quoted:
|
I would personally check for second - regex URL check, keyword whitelist check, colon at the end check - but you are the architect here :). |
So probably it's best to stick with current solution and add exceptions for |
I think the regex should be changed to match URLs only (to support hashes) and then either add those colon keywords to whitelist or check for colon at the end. |
Check if value is URL, check if type is |
|
Wouldnt it be better to add exceptions for |
I think yes. So regexp can be simply |
And how to deal with the URLs ? Format can be just |
I have no better idea than check for |
I just noticed you already have the dot in your regex, didnt notice, sorry, expect the fix in few minutes. :) |
@dg Its up - but it seems like it broke some tests. I am not sure what should be the outcome of multiple values in one string eg. I am not sure why would anyone merge multiple values into one string in configuration. |
I added |
@harmim noted there are also other directives with non-quote values: Reflected-xss and referrer are deprecated and droped from standard, should I include them in the whitelist? |
I merged it with original regexp. It there reason to change it? |
Not for feature policy. But for Content Security policy, there are issues with quoting - hashes are unquoted but should, style/script and some others gets quoted but shouldnt. |
Together with @harmim we completed the list of directives, which have unquoted values - those are |
Is it meaningful to have a hash in configuration? require-sri-for, plugin-types and sandbox are skipped. |
Not for me, but it is defined in standard, so it might be good idea to support it even when its meaningless. Some simple website with eg. 5 additional files could restrict its sources by hashes, IDK... |
@dg Are the changes going to make it into nette 2.4 ? I would welcome these features in my project (also cookies sameSite - I noticed it is implemented in some recent branch.) |
I think that https://developer.mozilla.org/en-US/docs/Web/Security/Subresource_Integrity is much better way than hashes in CSP, so I would not add support at all. Backported to 2.4 |
Thanks |
Nice one guys, cheers! |
I have changed option to |
Přidává hlavičku Feature-Policy.
Header ještě není schválený standard, ale jediné nad čím se váhá je, jaké featury budou prohlížeče implementovat.
Syntax stejná jako Content-Security-Policy, prakticky jsem jen použil existující kod.
Hlavička Feature-Policy-Report-Only zatím neexistuje a co vím ani se o ní nepřemýšlí.