Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Enable content security policy in report-only mode #6642

Merged
merged 1 commit into from Feb 20, 2020

Conversation

davidfischer
Copy link
Contributor

@davidfischer davidfischer commented Feb 10, 2020

Content security policy is a security measure that sites can opt into by sending a configurable HTTP header. When a site is really locked down, this can prevent most XSS attacks by restricting inline JS completely or restricting the origins where scripts may be loaded from or send data to.

Getting there will be hard and this is just a very first step in that process. This change:

  • Enables CSP in report-only mode. It will not actually block anything. Violations will be noted to the browser console. In prod, violations can be reported to Sentry if CSP_REPORT_URI is configured (the reporting is done by the browser, not some task in our code).
  • If CSP were not in report-only mode, the current settings would prevent
    • framing the site (already prevented with x-frame-options)
    • embedding any applets, objects, or embeds
    • blocking any mixed content (loading styles over HTTP while the main site is HTTPS)
  • This applies only to the core site, not to any documentation sites.

This change can create a feedback loop where we can slowly add policies, fix any issues we see from those policies reported to Sentry from production, and then ensure there's no fallout from those policies. When we are happy with our settings, we can switch from report-only to actually enforce the policy.

Ref #2793

- If CSP were not in report-only mode, this would prevent
  * framing the site (already prevented with x-frame-options)
  * embedding any applets, objects, or embeds
  * block any mixed content
- Instead violations of these policies will be reported.
  They can be reported to Sentry if CSP_REPORT_URI is configured
@davidfischer davidfischer requested a review from Feb 10, 2020
Copy link
Member

@ericholscher ericholscher left a comment

Makes sense. 👍

Copy link
Member

@humitos humitos left a comment

Nice!

@davidfischer davidfischer merged commit 07f70f0 into master Feb 20, 2020
3 checks passed
@davidfischer davidfischer deleted the davidfischer/content-security-policy-reporting branch Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

None yet

3 participants