This repository has been archived by the owner on Sep 20, 2023. It is now read-only.
CSP: Defense in depth vs XSS #56
Labels
devops
discussion
feature
P4
Something to consider, a feature request that we may not pursue
security
React does eliminate most XSS concerns. It does not look like the current code base is vulnerable to any know React XSS attack.
The possible future attack is if user supplied data was used in a link href. For example:
In this case, the evil user could do a "javascipt:evilcode..", which would run when clicked on. I've checked the codebase, and this isn't currently a problem. However, we'd want to put something in place proactively to prevent us from doing this in the future.
The Content-Security-Policy header allows us to block inline javascript, such as inserted "javascript:" links.
We can add this line to the nginx config for demo.originprotocol.com
Alternate, you can do the metatag equivalent, and place it in the HTML header for the page.
This will
This is a pretty basic CSP. At some point we could explicitly whitelist the domains that we are allowed to run javascript from.
@ryana
The text was updated successfully, but these errors were encountered: