CSP: Defense in depth vs XSS

[DanielVF]

React does eliminate most XSS concerns. It does not look like the current code base is vulnerable to any know React XSS attack.

The possible future attack is if user supplied data was used in a link href. For example:

<a href={data.link_to_site}>Web/a>

In this case, the evil user could do a "javascipt:evilcode..", which would run when clicked on. I've checked the codebase, and this isn't currently a problem. However, we'd want to put something in place proactively to prevent us from doing this in the future.

The Content-Security-Policy header allows us to block inline javascript, such as inserted "javascript:" links.

We can add this line to the nginx config for demo.originprotocol.com

add_header Content-Security-Policy "default-src https:; img-src https: data:"

Alternate, you can do the metatag equivalent, and place it in the HTML header for the page.

This will

• Block all inline javascript from being run, preventing an injection attack
• Block any page content not loaded over HTTPS
• Still allow our listing images to be pulled from the data urls

This is a pretty basic CSP. At some point we could explicitly whitelist the domains that we are allowed to run javascript from.

@ryana