Content Security Policy #2793
Comments
humitos
added
Design
|
If I understand correctly, we need two things here:
|
|
Yes. Fixing the rtd theme shouldn't be too difficult and adding the response header is just one 'add_header' config line in the nginx config. |
humitos
added
Improvement
|
Depends on readthedocs/sphinx_rtd_theme#545 |
humitos
added
Status: blocked
|
Things are moving somewhat on sphinx and on the Read the Docs sphinx theme but we could probably add a content security policy to readthedocs.org without waiting for anything else.
With that said, we could still improve security by finding any other cases like this and eliminating resources possibly being loaded over plain HTTP. We could turn on CSP in report-only mode to report any violations into Sentry (a separate sentry project in case it's noisy). The header would look something like: |
|
So, readthedocs.org/readthedocs.com have a very basic CSP, but we are implementing a stricter policy for our new dashboard (app.readthedocs.org/com). About having a policy for documentation pages, we have the ability to do by contacting support (at the moment it applies to custom domains only).
https://docs.readthedocs.io/en/stable/security-implications.html#embedding-documentation-pages I don't think we will ever enable a CSP policy by default on docs pages, as that depends a lot on the tool and theme being used. And our old integrations use some inline JS. I think we can close this issue. |
Details
It would be nice if Read The Docs would use a HTTP Content Security Policy header to improve the security of Read The Docs. Current Sphinx theme's do not allow setting a sufficiently secure Content Security Policy header because some Javascript and CSS is currently inline with the HTML. I've opened a ticket at Sphinx about this but may be the readthedocs team could help adjust the theme's and thus improve security of the Sphinx theme's.
See:
sphinx-doc/sphinx#3620
The text was updated successfully, but these errors were encountered: