Try setting HTTP security headers for qute:// pages

[The-Compiler]

There are various security headers in HTTP. We can't actually add headers for qute:// URLs, but we could add <meta http-equiv="..." value="..."> tags to the markup.

For example, with Content-Security-Policy, it'd allow us to avoid making requests to the outside world if there ever was another XSS issue on qute:// pages.

Not sure whether that works though, those internal URLs might be handled specially somehow.

[The-Compiler]

I tried adding this to base.html:

<meta http-equiv="Content-Security-Policy" content="default-src 'none'; script-src 'self'; style-src 'self'">

but that fails because we currently embed the style and scripts into the .html file in most places. This should probably change - if we enable unsafe-inline, we might as well not use CSP at all.

Maybe we can get jinja to autogenerate nonces or hashes for the scripts though? Just need to make sure those are compatible everywhere though.

[The-Compiler]

With some configurations, clickjacking of qute:// sites is possible in theory:

• QtWebEngine and Qt < 5.10
• QtWebKit (any Qt version)

However, we can't set Content-Security-Policy: frame-ancestors 'none'; or X-Frame-Options via a <meta> tag.

I don't think there's anything vulnerable on any qute:// page, but it's something to keep in mind.

[The-Compiler]

Looking at all headers from securityheaders.io:

• Content-Security-Policy: We should definitely set that.
• Strict-Transport-Security: No network connections involved
• Referrer-Policy: Maybe?
• X-Frame-Options: Can't set it via <meta>
• X-Xss-Protection: QtWebEngine seems to block by default, but maybe for QtWebKit?
• X-Content-Type-Options: Maybe?
• Expect-CT: No network connections involved
• Feature-Policy: Quite new, but maybe?

[The-Compiler]

Welp, apparently QtWebKit doesn't support nonces/hashes for CSPs and just allows all inline sources in that case.