Add CSP for not allow frame-ancestors #530
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found Additional details and impacted files@@ Coverage Diff @@
## main #530 +/- ##
==========================================
- Coverage 91.48% 91.48% -0.01%
==========================================
Files 599 599
Lines 16271 16268 -3
==========================================
- Hits 14885 14882 -3
Misses 1386 1386
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found @@ Coverage Diff @@
## main #530 +/- ##
==========================================
- Coverage 91.48% 91.48% -0.01%
==========================================
Files 599 599
Lines 16271 16268 -3
==========================================
- Hits 14885 14882 -3
Misses 1386 1386
Flags with carried forward coverage won't be shown. Click here to find out more.
|
Codecov ReportAll modified and coverable lines are covered by tests ✅
✅ All tests successful. No failed tests found Additional details and impacted files@@ Coverage Diff @@
## main #530 +/- ##
=====================================
Coverage 95.78 95.78
=====================================
Files 774 774
Lines 17127 17124 -3
=====================================
- Hits 16404 16401 -3
Misses 723 723
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Sentry. |
| @@ -304,16 +305,9 @@ | |||
| "REDOC_DIST": "SIDECAR", # serve Redoc from Django (not CDN) | |||
| } | |||
|
|
|||
There was a problem hiding this comment.
The reason I removed these existing policies is because it wasn't doing anything before this commit. These CSP_* configurations are consumed by the CSPMiddleware module, so we probably don't need these as they didn't do anything this whole time.
There was a problem hiding this comment.
This make sense, I'm wondering if maybe these were meant to be on though at some point but implementation was just never finished 🤔
Or conversely were never cleaned up
There was a problem hiding this comment.
Looks like they were added purposefully by Scott ~13 months ago, maybe we should actually keep?
There was a problem hiding this comment.
Yeah it was purposefully added, but the thing is those CSP headers aren't even in the response because the app doesn't use CSP headers right now. And with this change it would add those CSP headers, so I kind of don't want to introduce all those policies now, not knowing what they would impact.
There was a problem hiding this comment.
Yeah that's a fair point, we can always add them back too if we want
| @@ -68,6 +68,7 @@ | |||
| "codecov_auth.middleware.CurrentOwnerMiddleware", | |||
| "codecov_auth.middleware.ImpersonationMiddleware", | |||
| "core.middleware.AppMetricsAfterMiddlewareWithUA", | |||
| "csp.middleware.CSPMiddleware", | |||
There was a problem hiding this comment.
Just adding a comment here that middleware order doesn't matter: https://django-csp.readthedocs.io/en/latest/installation.html
since I was curious bout that
Testing confirmed that the platform lacks the Content-Type-Security header in HTTP responses. This does not directly lead to a security issue, yet it might aid attackers in their efforts to exploit other areas of weakness.
The X-Frame-Options header is present and this item specifies whether the web page is allowed to be framed. Although this header is known to prevent clickjacking attacks, a plethora of alternative breach strategies are achievable when a web page is frameable. The Content-Security-Policy (CSP) framework offers similar protection to X-Frame-Options via methods that overcome some shortcomings of the aforementioned header.
To optimally protect users of older browsers and modern browsers simultaneously, Cure53 recommends deploying the Content-Security-Policy: frame-ancestors 'none'; header in addition to the already implemented solutions.
Legal Boilerplate
Look, I get it. The entity doing business as "Sentry" was incorporated in the State of Delaware in 2015 as Functional Software, Inc. In 2022 this entity acquired Codecov and as result Sentry is going to need some rights from me in order to utilize my contributions in this PR. So here's the deal: I retain all rights, title and interest in and to my contributions, and by keeping this boilerplate intact I confirm that Sentry can use, modify, copy, and redistribute my contributions, under Sentry's choice of terms.