Skip to content
This repository has been archived by the owner on Dec 11, 2019. It is now read-only.

Make app/index*.html CSP more restrictive #584

Closed
diracdeltas opened this issue Feb 3, 2016 · 5 comments
Closed

Make app/index*.html CSP more restrictive #584

diracdeltas opened this issue Feb 3, 2016 · 5 comments
Labels
sec-low security

Comments

@diracdeltas
Copy link
Member

At minimum

  • get rid of 'unsafe-inline'

Good to have

  • get rid of img-src * (needed for favicons)
@diracdeltas diracdeltas mentioned this issue Feb 3, 2016
Closed
@bbondy
Copy link
Member

bbondy commented Feb 3, 2016

Favicons after downloading via xhr we can base64 and use data urls. I think we should have that anyway for session restore and other props inside the frameProps.

@diracdeltas
Copy link
Member Author

Favicons after downloading via xhr we can base64 and use data urls. I think we should have that anyway for session restore and other props inside the frameProps.

yep, would just have to send the XHR in a child browsing context (webview / iframe / maybe a worker?) so as to avoid connect-src *; c.f. https://www.w3.org/TR/CSP2/#which-policy-applies

@diracdeltas
Copy link
Member Author

Inline scripts are gone. Inline styles are tricky because the webpack style loader that we're using inserts them.

@bbondy
Copy link
Member

bbondy commented Feb 3, 2016

FYI for preferences I added the same for the webpack included less files and font-awesome.

This was referenced May 14, 2016
Closed
Closed
Closed
Closed
@diracdeltas diracdeltas added this to the 1.0.0 milestone Nov 7, 2016
@alexwykoff alexwykoff modified the milestones: 1.0.0, Backlog Nov 1, 2017
@diracdeltas
Copy link
Member Author

Closing in favor of #12263

@luixxiul luixxiul removed this from the Triage Backlog milestone Dec 13, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
sec-low security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@diracdeltas @bbondy @alexwykoff @luixxiul